Hey thought I would let you know you may want to change your info.php
Find case 'acctactiv': and add htmlspecialchars to it see the code below
case 'acctactiv': // activate account
$output['uid']=htmlspecialchars(sanitize_and_format_gpc($_GET,'uid',TYPE_INT,0,0)); //Stops browser injections
$output['email']=htmlspecialchars(sanitize_and_format_gpc($_GET,'email',TYPE_STRING,$__field2format[FIELD_TEXTFIELD],''));//Stops browser injections
I would tell you when you can do browser injections but I don't want anyone reading this to know. But it isn't really hard to find out. but the above will stop this from happening.