The visitors-traffic-real-time-statistics plugin prior to 1.12 for WordPress has CSRF in the settings page.
wp-buy visitor traffic real time statistics