The incoming-links plugin prior to 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header.
monitorbacklinks incoming links