Not injection. SQL error on invalid post# specified in 'p'. Better POC would be: http://pathtowordpress/index.php?feed=rss2&p=-1 See http://trac.wordpress.org/ticket/5185