The admin panel (admin.php) does not properly sanitize the text in the “Site Name” field, allowing a user with admin access to inject arbitrary HTML.
This is in a similar vein to CVE-2022-4733 but still exists as of version 7.0.1-dev.
<script>alert(document.cookie);</script>