The companion-auto-update plugin prior to 3.2.1 for WordPress has CSRF.
codeermeneer companion auto update