The cforms2 plugin prior to 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries.
cformsii project cformsii