The form to confirm a permanent deletion doesn't use a CSRF token, allowing a malicious page to permanently delete arbitrary pages for any wikis which the user is logged in to and has permission to use the DeletePagesForGood extension.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)