Log in at enwiki, then follow this link:
A new entry will immediately appear in your abuse filter log, even though you never passed the CSRF token by clicking "Move page". This could lead to a privacy loss if the link is followed from an external website.
The culprit is the call to Title::isValidMoveOperation() from MovePageForm::showForm(), from what I can tell.