It's not a bug, it's a user error. It happens because /timer re-evaluates the parameters passed to it each time it fires. So %two is evaluated once in the script that calls /timer and another time when the /timer fires. mirc has always worked this way, and rightfully so; this is what allows you to type
/timer 0 1 echo -s $time in an editbox and have mirc report the actual time instead of the string "$time". All this is basic info that scripters ought to know. In fact, many scripters do, that's why they advise people to use aliases inside /timer. Generally, you should avoid passing variables/identifiers of unknown content to /timer, /scon or /scid, unless you are an experienced scripter and really know how to escape them (using % $+ varname or $eval(%varname,0) etc). If not, stick with aliases:
on 1:text:*:#:{
if ($1 == !makemesay) && ($chan == #temp) {
set %two $2-
timer 1 1 messagenick
}
}
alias messagenick msg #temp $nick made me say %two
By the way, I (and many others) am getting tired of seeing "exploit" reports every once in a while, that turn out to be anything but actual exploits. People should avoid using such words because the only thing they achieve is scare and discourage people, especially newbies.