Thread:User talk:MaxSem/vulnerable to CSRF attacks/reply

Basically, CSRF says it all. An attacker could forge a request to your special with JS that will mail whatever he wants. To fix this, you need to generate an unpredictable (for attacker) token with $wgUser->editToken instead of sha1("stsg") and check it with $wgUser->matchEditToken.

Other problems:
 * User names are not escaped on output. While restrictions on user names prevent this from escalating to full-scale XSS, this could lead to other inconveniences.
 * loadMessages is not really needed these days, just register your messages with $wgExtensionMessagesFiles.
 * "getLocalUrl . "\">" produces invalid XHTML, use the Html class to avoid things like that.