Apache Cordova iOS prior to 4.0.0 allows remote malicious users to execute arbitrary plugins via a link.
apache cordova