The xpinner-lite plugin up to and including 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS.
cyberseo xpinner lite