XAMPP for Windows in its default configuration, installed on a public server, is quickly exploited by a current worm as we just learned the hard way.
The problem is that Apache is configured to listen on all ports, which allows everyone to log in through phpMyAdmin without a password. Because MySQL has commands to interact with the file system *and* it has full access to it, someone can place a rogue script on the server, execute it, and take full control over the server.
Although the documentation mentions that XAMPP is not for production use and what should be done to secure the configuration, this is not emphasized anywhere - I bet 90% of users won't know about this unless you add in a big warning screen.
The default configuration should really be a bit more tighter to prevent this from happening - Apache could be bound to localhost only, or phpMyAdmin access could be limited to localhost only, or with an auto-generated password that is displayed in the installer. The security console could then allow to remove (not add) this functionality. Just my 2 cents.