The Button Generator WordPress plugin prior to 3.0 does not have CSRF check in place when bulk deleting, which could allow malicious users to make a logged in admin delete buttons via a CSRF attack
Vulmon