First of all, I hope that you can forward it off to
wikitech, but it
seems that a malicious user at Wikibooks used their user JS to do some
page move vandalism (see [[b:en:User:Vandel Damon/monobook.js]] for the
JS in question). It's not much of a security loophole as it is
undesirable for the wiki community, seeing that a lot of people would
have to undo a lot of page moves.
If there was some way in the back end to prevent this, it would be
that you can't do from a different form of client-side script or bot.
equivalent to user-performed actions and non-browser bots.
entirely, there is no way to protect against that distinct from general
restrictions on submissions from some user. The malicious user could
another source, a modifying proxy to insert it, or use a different
client-side tool to perform equivalent processing.
-- brion vibber (brion @ pobox.com