you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.
Thanks for all this. It's beyond me though! I'm looking into a new script, will test it publicly soon.