phpList prior to 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
phplist phplist