The ultimate-member plugin prior to 1.3.40 for WordPress has XSS on the login form.
ultimatemember ultimate member