The adminInit() function of the admin/includes/class.actions.snippets.php file, registered as an admin_init hook did not have any CSRF or capability checks for its close action, allowing unauthenticated users to delete arbitrary posts from the blog
https://example.com/wp-admin/admin-post.php?action=close&post=X