There is a report of XSS-vulnerability in this WordPress-plugin: http://seclists.org/bugtraq/2011/Dec/26 which I have now tested and it seems to be valid:
If this PHP-file is not meant to be called and executed by users one should add prohibitive line to the PHP-file. There is plenty of examples in other modules or I can give you one. If this is please ensure proper user input validation.
I tested with WordPress version 3.2.1 and plugin version 1.5.2. Please contact me if you need any help!