Tiki up to and including 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
tiki tiki