The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.
wp-kama kama click counter