The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS.

%d bloggers like this: