So it looks like SQLAlchemy isn't actually used anywhere, despite that setting. In all, there don't appear to be any "real" exploits, at least not ones that were immediately apparent. Just be careful with the admin password, although I imagine losing it wouldn't be too much of a loss anyway - what would people do, delete posts? Big deal there.

The most significant issue I see is that it's written by someone who obviously is a PHP programmer. It's a decent start but it needs cleaning up. I think switching to SQLAlchemy (and not in conjunction with the mess that it has now) and getting rid of the FetchOne() junk would be a very good first step toward making it a nice clean codebase. Splitting everything into proper MVC instead of generating HTML inside the post function and other haphazard and sloppy coding would also be highly beneficial. A lot of the points I listed are little stylistic issues; having worked with Trevorchan's source code, this is an enormous improvement. I don't think I could find ten consecutive lines in Trevorchan that didn't have some major problem.