Webmin version 1.890 was released with a backdoor that could allow anyone with knowledge of it to execute commands as root. Versions 1.900 to 1.920 also contained a backdoor using similar code, but it was not exploitable in a default Webmin install. Neither of these were accidental bugs - rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability.
Upgrade to Webmin version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd_mode= line, then run /etc/webmin/restart.