I was contacted by a security expert, who gave me time to visit the plugin and fix the vulnerability.
In the spirit of responsible disclosure, the vulnerability was released.
Since the vulnerability is published, I highly suggest updating to the latest of Metronet Tag Manager.