The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.

%d bloggers like this: