While writing on a plug-in, I encountered some kind of a problem. It isn't really a security issue, but it can seriously mess up a blog.
While saving options, there are no tests wether the entered values have the correct type.
e.g. if I choose to have the value "xyz" for the "posts_per_page", there is no real control on wether it is a numeric value or not.
It gives (of course!) an error while viewing the site, because some bogus value was inserted in the SQL-query.
In the options-table, there is a field "option_type", but that's never used. It is fetched once from MySQL but not even used that time. maybe it's the intention to use it for this kind of security purpose.
but maybe I'm just paranoid and is there no need to worry about it at all...