The contact-form-to-email plugin prior to 1.2.66 for WordPress has CSRF.
codepeople contact form email