This recommendation applies to version 1.2.7 of this plugin, but the most recent version is 1.3.7. These findings may no longer be correct.
Findings
On line 574 of unconfirmed.php, text from $_REQUEST is escaped for insertion into an SQL query using sanitize_text_field(), which is not considered to adequately prevent SQL injections when compared to $wpdb->prepare() or esc_sql(). Appears not to be vulnerable due to WordPress’s emulation of magic_quotes_gpc