Input passed to the "msg_send" parameter in "messages.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Updated The fix did not account for the $msg_send variable being blank therefore preventing the use of the write new message button. This has now been rectified. Sorry for any inconvenience caused.