The dwnldr plugin prior to 1.01 for WordPress has XSS via the User-Agent HTTP header.
findshorty dwnldr