The reflex-gallery plugin prior to 1.4.3 for WordPress has XSS.
reflex gallery project reflex gallery