Awesome

wp-webshell-xss

A simple wordpress webshell injector

This is an attack script to insert a simple webshell in a file of the wordpress plugin "Event Register" by making use of the Wordpress Plugin Editor feature.

It can be injected via a persistent XSS in the attendee's list.

Probably also useful with other persistent XSS vulnerabilities, though you would have to adapt the URLs to inject into another file.