The custom-admin-page plugin prior to 0.1.2 for WordPress has multiple XSS issues.
bestwebsoft custom admin page