First, if you would like to handle this privately through the security team, reply and I can unplublish and move it to the security team queue but currently you are not opted in to the security coverage so this is the place.
There is no confirmation form or token protection for delete URLs leading to a CSRF attack.
I didn't immediately find the Drupal 8 version of this documentation but the general idea is the same. You'll want to protect it with a token, or as is more common, a confirmation form.
https://www.drupal.org/docs/7/security/writing-secure-code/create-forms-... →
Fixed
1.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.