The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter.