First I looked at question/toggleflag.php which seemed to lack any access control, then I went deeper to find out what the magic checksum is and I was greatly amused by the use of user->secret in question_flags::get_toggle_checksum(). The secret is empty very often or known to each user because they get it in email.
I have no idea what a question state is, but I find it funny that I can flip it at will even as a guest if I somehow guess the combination of ids which may be disclosed when taking actual test. Nothing is logged there either, you need to dig in Apache logs to see what is going on.
I would personally expect a real access control there instead of some magic md5 checksum done using some easy to guess values...