The My Custom CCS plugin allows the insertion of XSS code. Since the plugin is admin protected it's not as big of a threat, but can still be vulnerable to an inside attack.
Any code entered into the css editor is simply stored in the options table and then dumped out between style tags on the page. Thus, hackers can simply close the style block, insert a script block, and reopen the style block. Basically any code desired can be injected.
Like the idea, but looking for another 'clean' plugin for this purpose or may post a fix to this one if I end up using it.