Definitly bad and needs to be fixed globally.
One way I can think of is to have all dml pages (i.e. ???-2.tcl) check to see that it was called from its expected url. Or another solution is to have all admin pages (for all packages) have checks in them (I haven't thought this through yet though), maybe a global random pool or something not guessable.
Thanks for finding this as it is almost show stopper from my point of view and I really think it needs a fix before release. I may be overruled on this point but it is a BIG security problem.