The limit-attempts plugin prior to 1.1.1 for WordPress has SQL injection during IP address handling.
bestwebsoft limit attempts