I've not tested it so maybe I'm wrong but...
Similar to download attachment bug I've found out that when function net.jforum.view.forum.ModerationHelper.doModeration() checks for permission it only checks if user has permission_moderation which is not per forum.
So users with moderation permission in any forum can lock/unlock, remove and move threads if he can guess the correct topicID and fake an html form with those params, without being a moderator on that forum.
One solution could be to check if net.jforum.entities.UserSession.isModerator(forumID) at the beginning of doModeration() function. [originally posted on jforum.net by ramons]