The analytics-tracker plugin prior to 1.1.1 for WordPress has XSS via a search event.
analytics tracker project analytics tracker