The Iptanus WordPress File Upload plugin prior to 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
iptanus wordpress file upload