Sounds bad on the face of it, but since PhpMyAdmin is usually behind some authentication layer which gives access to all sorts of site information (like CPanel with a file manager and all), by the time someone gets to the point of being able to inject XSS into your PhpMyAdmin install, they can probably do almost anything they please to your DB or your site in general.

It seems like XSS vulnerabilities in this case would be less to worry about than in others. Am I missing something?

no, I thought the same but figured it was worth a mention

I have this image in my mind like open logs, I bet there are open phpmyadmins as well. This being the case I think the least of your worries is whether they can exploit it via XSS but that they could could one click drop the whole thing.