The podlove-podcasting-plugin-for-wordpress plugin prior to 2.3.16 for WordPress has XSS exploitable via CSRF.
podlove podlove podcast publisher