Hi Brian
I do not think the plain output or XSS is the biggest problem. A bigger problem is remote execution of arbitrary php code.
I think there are few ways to make this a big problem.
Make the transformation point to ../../../somepath/somefile
and then let that file actually contain <?php somenastycode();
Then you have remote execution on the host that have this phpmyadmin installed.
The only problem is that the attacker need to have access to the host to place a file somewhere. So this essentially just give an attacker permission of the webserver instead of the user. It can be seen as some kind of escalation though.
But maybe this is possible with some upload services that place things on /tmp for some time.
Another way is to make somepath/somefile point to something already installed on the system. This depends havily on what is already installed on the system.
Maybe it is possible to trigger some futher problem if somepath/somefile point to a binary that contain too much data. No clue is that can be an issue.
I find it a little tricky to exploit this but I see some possibilities.
My conclusion however is about the same as you. I do not think many are using the transformations so I think we can safely remove that.
Another option is to make a check for .. in the filename, because I think we can safely assume an attacher do not have write permission in the plugins directory, or can that be a problem too?
Best regards
// Ola