The rich-counter plugin prior to 1.2.0 for WordPress has JavaScript injection via a User-Agent header.
saschart rich counter