The /account/delete functionality is vulnerable to CSRF. In this way, an attacker can trick the victim to delete his own account just clicking on the link.
Steps to reproduce
Login with a user
Now go here: https://app.wallabag.it/account/delete
The account is now deleted without any confirmation