The easy-digital-downloads plugin prior to 2.9.16 for WordPress has XSS related to IP address logging.
sandhillsdev easy digital downloads