18
As far as I can see, if the field name is valid and if the named field is presented in $_POST, it will be processed and added to the database.
It would be better if the program determined the list of inputs it should expect at the current stage, pulled and cleaned those from $_POST up front, and then worked only from that copy, not directly from the $_POST data. Currently, it merges previous step entries into $_POST and works from that.
This is an annoyance, but the input is still processed just as it would be if the field was part of the entry form.
The 'attack' in this case is not sophisticated. If is just a simple form in an HTML file that points to the real registration form as the action:
<form action="http://localhost/modules/profile/register.php" method="post" >
<input type="text" name="user_icq" value="icqvalue" />
<input type='submit' name='submitButton' value='Submit' title='Submit' />
form>
Spammers are generally paid workers, and they use toolkits that use forms like these to automate as much data entry as possible. The payload is usually the links included. The dummy value in each field is just to make sure nothing required is omitted.
This is a bug, but by itself it has no security implications; input is handled just as it would be if the field was actually legitimately presented.