Not sure if this has been reported, but it's working.
With
this plugin if a thread title has javascript in it, the javascript will be executed.
Example
That's an interesting bug you found. There could be potential security vulnerability if someone knew how to do so in such a short javascript line. Maybe use a plugin to monitor the thread titles (to prevent spams/unreasonable titles) for now if you insists on using it. Otherwise, I wouldn't worry much about that.
Thanks for the heads up; the plugin has been marked as vulnerable and the author has been informed.
Thanks for letting us know, a friend of mine managed to get this fixed up and sent it to me.
Download the attachment below.