From ChangeLog: -ACL security fix for PageEditor, thanks to Dr. Pleger for reporting -There was a bad, old bug that triggered if you did not use ACLs. In that case, moin used some simple (but wrong and incomplete) function to determine what a user (or bot) may do or may not do. The function is now fixed to allow only read and write to anon users, and only delete and revert to known users additionally - and disallow everything else.
web-apps please bump to latest version.
*** This bug has been marked as a duplicate of 57913 ***