xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows malicious users to use the session of a deleted admin to do anything.