CVE-2015-9430

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header.