The visitors-traffic-real-time-statistics plugin before 1.13 for WordPress has CSRF.

%d bloggers like this: