Fronted publish form allows to overwrite any post
Publish form sets an <input>
with post_ID corresponding to the created draft for that post, and use it when submitted to retrieve it and update it.
But nothing is done to prevent an attacker to change that <input>
value and set it to any ID, allowing them to replace any post.