The newstatpress plugin prior to 1.0.5 for WordPress has SQL injection related to an IMG element.
newstatpress project newstatpress