Security checks should be hardened... I was able to send a punch even if I'm not logged in. Try to write the url with the querystring and the user receive a PM from a "non registered" user...
http://[forum_root]/vbpunch.php?punch=[YourUserId]&postid=1&warning=message
A workaround that seems to work (but I don't think is the right way):
In vbpunch.php replace:
PHP Code:
if ((!$vbulletin->options['vbpunch_enabled']) or (!$vbulletin->bf_ugp['vbpunch']['can_punch']))
with:
PHP Code:
if ((!$vbulletin->options['vbpunch_enabled']) or (!($permissions['vbpunch'] & $vbulletin->bf_ugp['vbpunch']['can_punch'])))