I just want to inform you guys, that Leaflet-wikitude.php is open for any kind of SQL injection, maybe it would be nice to fix :)
the above get request have been seen on multiple blogs running this plugin, what it does, is to select the user_activation_key from the wp_users table, why is this useful?
You see, people can request a password reset, this will add this user_activation_key to the database, if people can inject the site, to get access to this activation key, it will be possible to get into a WP site, and do weird stuff.
So please, take a look at the leaflet-wikitude file, and protect it against SQL injection. This is a serious security issue.