It would be a big issue if the post variable was sent to a database. It is not. Anyway lets forget that and consider this a critical thing:
https://github.com/Znote/ZnoteAAC/blob/master/admin.php#L3
In order to exploit that, you need to get access to admin.php, which means you need to be an admin.
So if the admin really wants, he can exploit it on himself or on other admins to create a funny error message.
Perhaps if the admin is really stupid, one of his users may trick him to click a link that has an iframe in it controlled by javascript ajax, if you have cross origin globally enabled, they may give you a funny message in your admin panel.
But rest assured, I will make sure to patch it up. In the end it is sloppy work by me.