The magic-fields plugin prior to 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter.
magicfields magic fields