The alo-easymail plugin prior to 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php.
alo-easymail project alo-easymail