The wp-ultimate-csv-importer plugin prior to 5.6.1 for WordPress has CSRF.
smackcoders import all pages\\, post types\\, products\\, orders\\, and users as xml \\& csv