The user-access-manager plugin before 1.2 for WordPress has CSRF.Referenceshttps://wordpress.org/plugins/user-access-manager/#developers
