An issue exists in BTITeam XBTIT 2.5.4. news.php allows XSS via the id parameter.
btiteam xbtit 2.5.4