Based on further analysis there is one legitimate bug contained in the distribution that while we’ve not been able to find security vectors using the flaw, it is not inconceivable that a determined hacker could not do so. This lies with the search highlight plugin. To fix this, patch two lines starting near line 52 to as follows:
$searched = strip_tags(urldecode($_REQUEST['searched']));
$highlight = strip_tags(urldecode($_REQUEST['highlight']));
Alternately, you can simply disable the search highlight plugin entirely by logging into the manager and going to Resources > Manage Resources > Plugin tab. From there, click the Search Highlight plugin name in the list of names, then check the first checkbox near the top that says "Plugin Disabled" (or your relevant local language string).
The currently available build on the download page contains this patch. If you’re running an existing site, the best option is to patch or disable the Search Highlight plugin per the above.