The 360-product-rotation plugin prior to 1.4.8 for WordPress has reflected XSS.
yofla 360 product rotation