It's not so much that it's wrongly coded as it is that there's no protection against automated processes and xss attacks. An xss attack is anything that causes a remote system to target your site. It could be a hidden iframe in a webpage which has a form and submits it when the main page loads or it could be an image tag that calls your webpage. The point is that if you get enough people stumbling onto this page your server could be flooded with form submissions / spam etc or it could face several million page requests etc.
You could use a key set in the session to check that the form being submitted was one generated by your site. That will put a stop to a lot of automated submissions.
You only need to worry about xss attacks against pages where people can change their passwords, send emails etc. IF you look at this forum you'll see that on the password change page it asks for your existing password. If it didn't, an attacker could use the iframe technique to change your password and log you out before calling another page to email your new password to them.
There are probably many more complex attacks too..
My helpful sig has gone because a mod below the administrator gave me an infraction - despite the administrator personally agreeing to it.
If you need any php tips or tricks you can PM me.