CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
bigtreecms bigtree cms 4.2.16