Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter.