The comments display functionality in /modules/tp-comments/functions.php does not check the approval status of pingbacks and trackbacks before displaying them, which allows spammy pingbacks to be injected straight into the posts of anyone using it.

Suggest movingif ( $comment->comment_approved == '1' ) : from off line 29 (comments case) to before theswitch statement, and the correspondingendif; from line 63 to afterendswitch;