The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page.

%d bloggers like this: