A bit more snooping around uncovered that the AJAX eval () preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.