The feedwordpress plugin prior to 2015.0514 for WordPress has XSS via add_query_arg() and remove_query_arg().
feedwordpress project feedwordpress