Couldn't you just target pretty much any dynamic page on the web with such a script? All you'd have to do is edit a few details. I don't understand how this qualifies as a security hole?