Note that this isn't in default Confluence installations. It applies to installations that have installed the Questions for Confluence plugin, which is an official Atlassian plugin.
Disappointing to see this coming from an Atlassian official plugin. I wonder if they outsourced this to some contractors and didn't review it closely, or if they developed this in-house.
This is the problem with big companies and big software projects. Your security is as weak as your dumbest/least trained dev team. This was probably thought of as a secondary priority project so the B team of C team got assigned to it.
The plugin page shows 8K installs when I checked: https://marketplace.atlassian.com/apps/1211644/questions-for...
Disappointing to see this coming from an Atlassian official plugin. I wonder if they outsourced this to some contractors and didn't review it closely, or if they developed this in-house.