The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php.
formcrafts formcraft 1.0.5