The icegram plugin prior to 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.
icegram icegram engage