A script service method has been introduced in 11.6RC1 as part of
XWIKI-15488 to reset the counter of authentication failures. The @Programming annotation has been used on it, thinking that it would be enough to protect it, for being used only by users with PR.
However it's not the case: the annotation is only indicative and is not used to perform any check. Which means that right now any user with script rights can use this method.
- links to