Found a user with a strange display name: tomontoast" onclick="alert('xss') http://wordpress.org/support/profile/tomontoast http://buddypress.org/community/members/tomontoast/