The wp-cerber plugin prior to 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header.
wpcerber cerber security antispam \\& malware scan