This script is possibly vulnerable to cross-site request forgery. Cross Site Reference Forgery (CSRF/XSRF) is a class of attack that affects web based applications with a predictable structure for invocation. An attacker tricks the user into performing an action of the attackers choosing by directing the victim's actions on the target application with a link or other content.
The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated. Here is an example:
<img src="http://bank.example/withdraw?from=victim&amount=1000000&to=attacker">If the bank keeps authentication information in a cookie, and if the cookie hasn't expired, then victim's browser's attempt to load the image will submit the withdrawal form with his cookie.
This vulnerability is also known by several other names including Session Riding and One-Click Attack.
Insert custom random tokens into every form and URL that will not be automatically submitted by the browser. Check References for detailed information on protecting against this vulnerability.