$_GET['delete'] is not escaped.

json_return() function doesn't check admin privileges.

is_admin() function is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true.

Datas from Open End questions are not escaped properly.

REQUEST['src'] is passed directly into file_get_contents function.

$_GET['gpid'] is not escaped.

_form_makercfm() is accessible for every registered user.

$_GET['searchll'] is not escaped.