On further reflection I'm downgrading this one from "Critical" to "High", because there are a couple of mitigating factors:
1. The attacker has to have an account (i.e., be able to create or edit a page title)
2. The victim must be logged in (to have access to the watchlist link)
On further reflection I'm downgrading this one from "Critical" to "High", because there are a couple of mitigating factors:
1. The attacker has to have an account (i.e., be able to create or edit a page title)
2. The victim must be logged in (to have access to the watchlist link)