The Headway theme before 3.8.9 for WordPress has XSS via the license key field.