This plugin does not escape SQL. There are several likely vectors for local file inclusion. It outputs errors during normal execution. This plugin contains a PHP file that needs to be accessed directly (as opposed to using /wp-admin/admin-ajax.php), which will require whitelisting in hardened environments where access to PHP files outside of WordPress core has been disabled.
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
There are several include statements which seem very likely to contain LFI vulnerabilities.