The peters-login-redirect plugin prior to 2.9.1 for WordPress has XSS during the editing of redirect URLs.
profilepress loginwp