I saw on twitter a Piwik XSS tweet pointing to http://packetstormsecurity.org/1003-exploits/piwik-xss.txt
we should fix it and check other variables to ensure there is no xss left.
I re-enabled the sensitive ticket plugin for this one, and set it to sensitive, which seems to work.
While [fixed the issue (by validating/filtering/escaping form_url), 2047 is a better solution -- it eliminates form_url entirely as a parameter/hidden form field.
I've drafted a blog entry for the security advisory and will request a CVE later for the 0.6 release.
I disabled the sensitivity plugin for now, also closing this.. please reopen if there is open issue.