The newstatpress plugin prior to 1.0.1 for WordPress has SQL injection.
newstatpress project newstatpress