The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
zm-gallery project zm-gallery 1.0