CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves hosting a crafted plugin that executes an arbitrary program from its __init__.py file and causing the victim to download, install, and enable this plugin.