BigTree prior to 4.2.22 has XSS in the Users management page via the name or company field.
bigtreecms bigtree cms