The simple-mail-address-encoder plugin prior to 1.7 for WordPress has reflected XSS.
simple mail address encoder project simple mail address encoder