Hello,
This does not appear to leave the plugin open to SQL injection as when this particular function fails it returns false but it does generate a PHP warning. I am facing the same errors in my log as the OP.
The bug is that it is using mysql_real_escape_string without referencing an open connection and therefore this fails because your database needs a password to establish a new connection and thus the database cannot escape the string for you.
There are three instances of this in common/util.php and I believe the WordPress function esc_sql can be dropped in as an appropriate working replacement for whatever escaping activity is going on here. I haven’t digged deep enough to see whether this referrer hits the database or whether this escaping is done out of an abundance of caution.
Thanks,
Scott
