The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page.Referenceshttps://wpvulndb.com/vulnerabilities/9420https://wordpress.org/plugins/visitors-traffic-real-time-statistics/#developers
