The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.
xtremelocator xtremelocator 1.5