DWR uses HTTP requests to access the server like any other web app, meaning the exposure of server-side code is the same (which is to say, Java methods are not exposed at all).
Is there a possibility of script injection and getting hold of some methods and do some hanky panky stuff?
Any time HTTP requests are being made the possibility of script or SQL injection exists. In this regard DWR (and other AJAX libraries) aren't different from any other web app, and you need to take the same precautions. The http://faq.javaranch.com/java/SecurityFaq points to some good reads about building secure web apps.
There's a couple of security considerations, but the bottom line is that DWR takes security VERY seriously, and Joe Walker is a very knowledgable guy when it comes to security, and I personally feel better about leaving my app's security in his hands than in any other AJAX library I've seen.
Now, more specifically, DWR does some things to deal with things like cross-site scripting and script injection. I'm frankly not qualified to go into detail on those things, but I know they're there.
DWR also lets you only expose the things you want to expose, and by default exactly ZERO classes are exposed through DWR, you have to explicitly allow DWR to remote class... although, by default when you say class A can be called via DWR it allows *any* method of said class to be called, so you have to remember that. It's very easy to reverse that policy and make only those methods you want exposed be callable.
DWR also ties in with J2EE security roles, so you can tie execution of arbitrary methods to users in given role(s). I *believe* I saw integration with Acegi also is possible, but I have no knowledge of that.
I think security with DWR is like most things, but only better: by default it's probably safer than many other things, but you *can* screw yourself without trying too hard