Steps to reproduce:
- Go to <server>/xwiki/bin/view/Main/?xpage=documentTags&xaction=add&ajax=true&tag=foo
- Go to <server>/xwiki/bin/view/Main/?xpage=documentTags&xaction=delete&ajax=true&tag=foo
- A CSRF token validation failure error is displayed (or some other more generic error).
- The tag is added to/deleted from the page.
Note that for adding tags, the CSRF token is actually included in the form but it is not validated on the server.
I have reproduced this issue on 2.6 (and a recent development version) but I think even older versions should be vulnerable.