Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.
Thank you, btw the message from "seoincorporation" was sent after my PMs (listing more vulnerability and in details)