The i-recommend-this plugin prior to 3.7.3 for WordPress has SQL injection.
themeist i recommend this