this is no security flaw since you must be already logged in within the webinterface of dd-wrt. otherwise this here will not work. we already fixed this issue in our sourcetree as additional information. this is no dd-wrt specific issue. all other firmware like openwrt etc. would suffer from it too. in fact. just a plain POST to a authenticated dd-wrt session. without beeing logged in locally it would not have any effect