The wp-stats-dashboard plugin up to and including 2.9.4 for WordPress has admin/graph_trend.php type SQL injection.
trivetechnology wp-stats-dashboard