The logout link doesn't check for a nonce, see:

A mean hax0r can trick a naive user into logging out themselves if they're redirected to http://their-your.ls/admin/index.php?action=logout.

Definitely not a big deal, but also trivial to fix.