Hi Fred Woolard,
You're correct, there was a security bug related with Flowplayer (MDL-48085) which got fixed last week.
There was many proposed solutions, but we have decided to change the Flowplayer handling, making the php responsible to filter inappropriate content and get the flowplayer data.
The responsible method for calling the Flowplayer is:
flowplayer_send_flash_content($filename)
I guess you will need to change your plugin to call that method instead of using the swf file directly.
Looking the source code of your plugin I've found
this line, In this specific case you may need to change that line to:
'swf' => $flowlibpath . "/flowplayer-[0-9].[0-9].?*.swf.php
The same applies for all the flowplayer swf files (audio and controls).
Please let me know if I can assist with any other questions!
Thanks.