You are absolutely right and security issues were always at the back of my mind. Thank you for alerting me to this vulnerability.
I did a test run to determine if indeed the vulnerability is possible. I typed the following into the browser and was able to download the zip file with contents intact.
You mentioned that I should make the script secure. Isn't the memberstatus check sufficient for that purpose or can script kiddies circumvent that check?
As far as dealing with current members, I will check to see if the get variable passed to the script ends in ".mp3" and check for other suspicious characters before serving the mp3 files.