MediaWiki doesn't generate a unique wpEditToken for anonymous users, so it's trivially easy to build a CSRF attack. PoC is in the URL.
There are several ways to fix this:
- Generate wpEditToken based on the user's IP address
- Randomly generate a token and save it in the user's session
- Randomly generate a token and save it in a database which regularly cleans out stale tokens
I am not sure what the performance implications of each are, however. I can provide a patch once a decision is made.