Perhaps I have missed something; but there doesn't seem to be any kind of input sanitisation going on. If you look at the
itsas_search() functions, it seems that the SQL queries are being constructed WITHOUT any safe-guards against SQL injection attacks.
No where is
mysql_real_escape_string() called. If no sanitisation is present, this represents a massive security problem for the plugin users.