The duplicate-post plugin prior to 2.6 for WordPress has SQL injection.
duplicate post project duplicate post