The all-in-one-wp-security-and-firewall plugin prior to 4.0.6 for WordPress has XSS in settings pages.
tipsandtricks-hq all in one wp security \\& firewall