it might be possible to spoof the vendor id

[uniphil]

and edit forms for other users

check vendor.php line ~1136 update() and also __construct, which seems like it might get the id from the submitted form.

[uniphil]

marking as low priority because this isn't a generally-public form... hopefully vendors don't try to mess with other vendors!

[uniphil]

fixed