The ckeditor-for-wordpress plugin prior to 4.5.3.1 for WordPress has reflected XSS in the "built-in (old)" file browser.
cksource ckeditor