If an authenticated admin clicks on a malicious link, the script executes in their browser, potentially allowing attackers to perform actions on their behalf, including escalating to remote code ...