An issue exists in the XCloner Backup and Restore plugin prior to 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).
xcloner xcloner