The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.

%d bloggers like this: