The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.