A page on their website is vulnerable to an SQL injection attack. Previously it would have been possible to use this attack to pull session ids (for the forum) and other data from the database (the attacker was able to 'guess' them in ~4 minutes by throwing a bunch of queries at the db), possibly hijack sessions, and potentially use SMFs extension upload utility to execute ones own code (Such as code to query the database and modify the table with the URLs).
As a 'fix' the code now appears to check the variable for certain keywords (and certain URLs are 'blacklisted' by the webserver), however it is still possible to 'modify' the query that is been done on the database.
It's pretty terrible that such a flaw existed in the code in the first place, but to attempt to fix the problem in such a manner screams incompetence. I think the marketplace comparison link in the sidebar should be changed.
Seems pointless to attack this website anyways