DLL hijacking (planting) attack exploits the fact that by default DLLs are loaded from the same folder as main executable file (when relative path is used to load DLL).

This is further mitigated by KnownDLLs. Those DLLs are always loaded from system folder no matter if they are present in executable's folder or not.

Open-Shell installer depends on version.dll that is not part of KnownDlls and thus it is vulnerable to DLL hijacking attack.

Malicious site can trick the user to download malicious DLL into his download folder. And if that user will download also Open-Shell installer and run it, malicious DLL may get loaded and executed.

The solution would be to get rid of version.dll dependency.
If not possible to eliminate it completely then we should at least not link to in statically and load the DLL during run-time using full path.