phpFoX
phpFox. God how I hate it and sites running it. Don't tell me that's it's some revolutionary new site that's so much better than MySpace or whatever. And when I give you security advise, don't just shrug it off thinking it's of no importance.
First off, default installations, which a lot people haven't changed too much, don't censor javascript. Meaning a regular
<script>alert('XSS')<script>
will execute without any troubles. I'm not going to go into the potential problems with that, but there are a lot.
A good censor setup in the admin panel can prevent that in a way, but not completely. A nice pregmatch system in the backend would work much better, and for $300, there should be one present. You might think disabling HTML will fix this, but it doesn't. Through a nice flaw with [link] tags, you can still inject javascript.
[link='#' onclick='alert("XSS")']XSS[/link]
That will pop up a nice alert box like the previous script, only you have to click it. You can do the same thing using onhover, onmouseover, etc.
And if that wasn't enough, the passwords are only stored as md5 sums. No encryption.
Take the md5 sum of 'qwerty' and that's what you would get. I would expect a lot better from a $300 script.