The orbisius-child-theme-creator plugin prior to 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.
orbisius child theme creator