I don't see any vulnerability on this page. It does use prepared statements, so SQL injection shouldn't be possible. I don't see any hand coding that would have opened any vulnerabilities. Can I get a copy of the report that says there is a problem? Does it have any details?