The unite-gallery-lite plugin prior to 1.5 for WordPress has SQL injection via data[galleryID] to wp-admin/admin-ajax.php.
unitegallery unite gallery lite