The rich-counter plugin before 1.2.0 for WordPress has JavaScript injection via a User-Agent header. Read more