The church-admin plugin prior to 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.
churchadminplugin church admin