While porting the module to Drupal 7, I noticed that it doesn't correctly escape page titles.

        $params = array(
          'uid' => $uid,
          'points' => -$nodepoints,
          'tid' => $tid,
          'operation' => 'Substract',
          'description' => t('User bought access to') . ' \'' . $node->title . '\'',
        );

So if a node title contains javascript, it will be executed when a user does access any page where the description is displayed.

This module only has a -dev release, so it is ok to handle security issues through the issue qeue, in case someone wonders...

Patch should follow soon.