Add and check csrf token in form
Special:CreateCategory doesn't add and validate an anti-csrf token in the form. Logged in users can be tricked into creating categories by visiting a site that makes a request on behalf of the user.
Basic patch attached, but I don't have a system to test this available. Can someone check this?