The codection "Import users from CSV with meta" plugin prior to 1.12.1 for WordPress allows XSS via the value of a cell.
codection import users from csv with meta 1.12.1