It's secure enough, all I would do is clean up the regex a bit to: /^!XP (\S+) (\d+)$/S

Code:
on $*:text:/^!XP (\S+) (\d+)$/S:#:{
  var %a = $regml(1), %stats = $readini(Stats.ini,XP,%a) + $regml(2)  
  writeini Stats.ini XP %a %stats  
  msg # Total stats for %a $+ : %stats
}


To the original requester: You should set some access flags, so that not everyone can use this command. In its current state, anyone can type !xp <player> <points> and it will update them.