The pretty-link plugin prior to 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter.
caseproof pretty link