Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.