The download-monitor plugin prior to 1.7.1 for WordPress has XSS related to add_query_arg.
never5 download monitor