The plugin is extremely large at over 16k SLOC of PHP. SQL is not escaped. Requires PHP files within the plugin directory to be executable. HTML is not escaped in many instances.
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
Contains XSS vulnerability. Contains blind SQL injection vulnerability. Due to the massive amount of code and the ease with which these vulnerabilities were found, more vulnerabilities of this type seem likely.