The LoginPress plugin prior to 1.1.4 for WordPress has SQL injection via an import of settings.
wpbrigade loginpress