Basically, w:CSRF says it all. An attacker could forge a request to your special with JS that will mail whatever he wants. To fix this, you need to generate an unpredictable (for attacker) token with $wgUser->editToken() instead of sha1("stsg") and check it with $wgUser->matchEditToken().
Other problems:
- User names are not escaped on output. While restrictions on user names prevent this from escalating to full-scale XSS, this could lead to other inconveniences.
- loadMessages() is not really needed these days, just register your messages with $wgExtensionMessagesFiles.
- "<form method=\"post\" action=\"" . $thisTitle->getLocalUrl() . "\">" produces invalid XHTML, use the Html class to avoid things like that.