The easy-digital-downloads plugin prior to 2.3.3 for WordPress has SQL injection.
sandhillsdev easy digital downloads