Serendipity up to and including 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
s9y serendipity