I found another security vulnerability, probably one of the last.
It was in install script.
If you don't have install/ip.txt, or if you removed the whole install folder - you are safe.
You can also apply this patch - 8e7cb12
In worst scenario it allows to give admin rights to the specific account.
So check your accounts table to see if you are already compromised - search for web_flags = 3.
Full changelog:
Added
- New Setting: Require Vowels for character name (41272b3)
Fixed
- Don't trust cloudflare IP, can be spoofed (8e7cb12)
- Rewrite how install works, to prevent unauthorized access (f408663)
Updated
- Update clients list to include 15.10 & 15.11 (cc9c607)