The Tribulant Newsletters plugin prior to 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.
tribulant newsletters