Please note that this module has no stable releases therefore this issue can be disclosed publicly. The Drupal Security Team has approved publishing this vulnerability publicly. Never in any case publish any security problems unless you have been told to do that by the Drupal Security Team. The team can be reached at security@drupal.org
This module suffers from multiple security vulnerabilities including:
- Cross Site Scripting
- Arbitrary code execution
The XSS vulnerability lies with several places where $vocab->name or taxonomy term name are used in insecure manner.
The ability to input PHP code when editing taxonomy is a vulnerability. Users with Administer taxonomy permission shouldn't be able to write PHP code.
In addition to that, the module suffers from several code style issues. I would recommend running the code through Coder module to fix most of the functions.