• Generates error messages
• SQL is not escaped at the point of use in some instances
• 2.8/class/avh-ec.admin.php contains several potential SQL injections, but files within 2.8 only seem to be required if the WordPress version is less than 3.3
• Uses unserialize() which is generally inadvisable, it’s unclear if it’s possible to unserialize user-provided strings

The plugin appears not to be vulnerable, but could interact with another component in such a way as to become vulnerable:

Using this plugin with versions of WP less than 3.3 will cause it to be vulnerable to multiple SQL injections.