1. Not much, or non malicious messing with settings, turning off the machine or rebooting (can be done through admin panel). Annoying.
2. Targeted for further exploitation, as a sign of an unsecured panel perhaps mean other services or poor practices. I don't know about this one, is anything gained over typical port scanning and bots looking for ways in?
3. The possibility of using this access for things like PHP exploits or security holes in Pi-Hole. As it shouldn't really be on the internet without a password at least, could be it is not as thoroughly vetted.
4. Most damage: probably changing the DNS server the Pi-Hole uses to a compromised one. Traffic could then be monitored (ish, up to SSL) and redirected. However, not sure how much you can do with this without other exploits (SSL certificates, malicious ad injection), does this actually make things worse?
What do you think? There are reports of some number of Pi-Holes just out there on the internet due to router misconfiguration or whatever, how bad is it? If everything else is secured, what does this gain an attacker? If someone finds out they put theirs on the internet, what should they watch out for after securing it?
It's the same with any service exposed to the web really, that's pretty the bottom line.