Sucuri has a really in-depth walkthrough of the Akismet XSS vulnerability they discovered, and it’s a nasty 9/10 on their DREAD score. That basically means it’s easy to do, and can result in a very bad outcome. Fortunately, auto-updates and responsible disclosure meant this one never saw the light of day. The recap is a good read.
