If a user has at least view permissions on a space they can purge any page in that space using the URL:
and the right contentId and space key.
A purge can be performed even if the page has not been marked for deletion.
This issue has been replicated and verified by the Confluence support team:
This is a critical security hole and should be fixed ASAP.