The visitors-traffic-real-time-statistics plugin prior to 1.13 for WordPress has CSRF.
wp-buy visitor traffic real time statistics