Non-bureaucrat users, including regular editors and moderators, cannot access edit/edit_delete_recognized_domain.cgi, but they can access edit/submit_delete_recognized_domain.cgi to create Delete Recognized Domain submissions.
In addition, non-bureaucrat moderators can approve Delete Recognized Domain submissions. When you combine these two vulnerabilities, they allow non-bureaucrat moderators to delete recognized domains.
Anonymous