Its possible to create folders outside the hyperbox world directory by using "../" or absolute path operators.
This makes it possible for any player with access to a hyperbox to create a folder on the host system in any arbitrary location
Additionally, its possible to overwrite other dimensions using their name.
World folders should never be created using user input, instead i recommend creating a numeric id/uuid/or random string and storing that inside the hyperbox nbt data so that it can locate the world folder.

I used to use random strings but I changed it to match the name of the hyperbox at the request of server ops to make it easier to identify which hyperbox dimension folder is which

But yeah, it should be stricter and not allow . in the ids. Can probably make it generate a legit-but-readable id from the display name instead of letting the user pick both the id and the name. Should be able to push fixes out later tonight.

Fixed in 1.20.4-5.0.1.0. Also backported fix to 1.20.1-4.0.2.0.