$_GET['delete'] is not escaped.
Proof of Concept:
XSS will be visible for admin:
- 13-11-2014: Discovered
- 13-11-2014: Vendor notified
- 16-11-2014: Version 1.5.13 released, issue resolved