DedeCMS up to and including 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
dedecms dedecms