There was an
announcement about a soon to be announced issue with CSRF in the forums last month. Turns out with stock JForum someone could have deleted the forums with a CSRF attack! (don't worry, they can't anymore.)
3 part blog post describing CSRF, how we fixed it, many of the obstacles encountered (interesting bugs and coding techniques) and links to github showing some code changes.
part 1
part 2
part 3
As I was doing this, I learned a lot of people haven't heard of CSRF. Check out the blog to learn more or ask here - in this post or in the forums.