There are two major security vulnerabilities in the Quake3 engine. The first is included in the client and allows malicious server admins to execute arbitrary malicious code on players’ computers. The second makes it possible to download any files from servers, provided that they have the sv_allowdownload parameter set to 1.
Id has released an update for both bugs. Since World of Padman uses the Quake3 engine, our PadMod is also affected by these errors. I can only strongly advise to install the updates. You can find the advisory on securityfocus.org.