The wp-ultimate-csv-importer plugin prior to 3.8.1 for WordPress has XSS.
smackcoders import all pages\\, post types\\, products\\, orders\\, and users as xml \\& csv