The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter.

%d bloggers like this: