The invite-anyone plugin prior to 1.3.16 for WordPress has admin-panel CSRF.
invite anyone project invite anyone