The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.Referenceshttps://lists.openwall.net/full-disclosure/2013/03/05/2https://wordpress.org/plugins/count-per-day/#developers
