I hate to say it, but the current fix is insufficient and only changes the attack vector. It is still simple to redirect to a third-party site by including the website domain somewhere in the curl parameter.
Example: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
I am certain that the spammers will figure it out sooner or later. Personally, I would remove the entire "//domain.tld/ubbthreads.php/" part from the curl parameter.
