The eelv-newsletter plugin prior to 4.6.1 for WordPress has XSS in the address book.
eelv newsletter project eelv newsletter