The feed-them-social plugin prior to 1.7.0 for WordPress has reflected XSS in the Facebook Feeds load more button.
slickremix feed them social