The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.Referenceshttps://wordpress.org/plugins/contact-form-to-email/#developers
