CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
http://www.securityfocus.com/archive/1/537317/100/0/threaded
http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html