The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerability in the content of a post.