A security team called fixed before hacked.com has recently informed me of a cross site exploit which can allow a malicious user to change a logged in user's profile caused by a hole in the file includes/update_profile_include.php. Don't panic though! as ever I have created a fix and you are encouraged to update your site. As this is a simple fix and I am rather busy with development I have opted not to release a patch. However, you can download the file from the cvs using the link below. The sourceforge download has been updated to include the fixed line. Thanks to Chislam for the information.
Update: fixed a minor error, sorry for any inconvenience.