To properly exploit this flaw, the attacker must have an account on the victim site and that account must have permissions to post new support tickets. Also, the BBCode parser must be on (this is the default setting). If these conditions are met, it is possible to inject a malicious link into the ticket message.
This particular script appends a new, hidden iframe to the existing page, directs it to the user edit page, and changes the admin's password to 'hackedpass' before directing the existing page to the spoofed destination, google.com. There is no notification in this exploit to let the attacker know it has succeeded. To achieve this, the attacker would want to add a bit more script to submit this information elsewhere. I'll leave that as an exercise for the attacker.