This forum has so much promise and potential to be a great tool. However, it also has potential for being breached.
Two files look risky:
1. /captcha/shared.php (contains a couple of instances that use base64_ ):
$mystr = WPF... $mystr = rawurlencode(base64_encode($mystr)); return $mystr;
Perhaps this file is safe but it doesn't seem like a good practice to use that code within php. Perhaps it's a non-issue for those that don't use the Captcha feature and the file can be removed without harming anything.
2. /wpf.class.php - not sure what happened to this file but my FTP won't open to read it even when I change the file format from .php to something else which raises red flags for me. I know that I modified it at one time with another program to fix some issues with it and it's been reported to be a risky file.
Not sure if this file still needs to be accessed by the program or if it can be safely removed.
Also, in the interest of keeping things simple and not having extra files, it's a good idea to remove all of the foreign language interpretations in the i18n directory that you don't need.
I want to like this software and can tell that a lot of work went into it. However, its security is questionable.