I reported it to its author but no response was received.
You can fix it by editing playlist-controller.php at line 164, replacing:
$xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);
with
$xml = $playlistController->getPlaylist(mysql_real_escape_string($_GET["pp_playlist_id"]));
Hope it helps you.
