See related {T120883}
rMWc711960e3f15: SECURITY: Act like users don't exist if hidden from viewer fixed EditPage in core; the same code exists in ApiVisualEditor (with the comment // HACK of course this code is partly duplicated from EditPage.php :() and also needs to be fixed there
To reproduce:
with the visual editor (both the visual and wikitext modes), visit
a userpage where the user exists but is hidden and a page where the user doesn't exist.