Well definitely deny it then. I don't know where this came from, but tell the add-on dev to get the version from me.
For now, since the problem is solved (as far as I have control over), perhaps you could remove the vulnerability exposition, so anyone with unscrupulous interests can't find it an exploit iadd-ons using this version?