The newsletter-by-supsystic plugin prior to 1.1.8 for WordPress has CSRF.
supsystic newsletter by supsystic