The mtouch-quiz plugin prior to 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS.
mtouch quiz project mtouch quiz