I appreciate that cuddlefish and davout point out publicly that there are issues.   Other users need to know that.  

I also think that their quick examples were pretty clear to experts, but can be confusing for novices.  So let me try to explain.  Maybe this will help you fix the issues.

Picture this scenario:  Someone logs into your site, and leaves it logged in, while they are, say um, reading bitcoin forums for example.  That doesn't seem too far fetched, does it?  And then they read a forum post that has an interesting link in it.  And they click on that link.  Maybe the post reads "Here's what you REALLY need to know about Bitcoin7's security" and then has a tiny url.  The user clicks on the link, and they are taken to a page on some remote server that POSTS to your site an instruction to sell bitcoins for a dollar.

Bam.  They have been exploited.  All because you have a vulnerability in your site.  
Or worse, it could post to a page that transfers Bitcoins to a particular Bitcoin Address.


See how serious that is?

Davout and cuddlefish, please correct me if I didn't describe that correctly.

Now, cuddlefish gave a WORKING demonstration, but he put "!!!" in the URL so that someone didn't click it by accident.  But if you were signed into your Bitcoin7 account in one tab, while you clicked on his link in another, you would have transmitted funds to instawallet.   Pretty scary.

Got it?
Don't minimize the advice that you are getting here.  This is a sharp group. They may not be explaining things at novice level, but do NOT assume you have nothing to learn from others!  Very risky!