iThemes Builder Style Manager prior to 0.7.7 for WordPress has XSS via add_query_arg() and remove_query_arg().
ithemes builder style manager