A slightly older but well-documented exploit specifically targeting (and impacting the 7.4.x branch) allows a regular user to become an administrator.
—ensuring the XAMPP directory is not writable by standard users—effectively neutralizes the threat even if the path remains unquoted. step-by-step technical guide xampp for windows 746 exploit
Version 7.4.6 was released during a period when these unquoted path issues were being heavily audited by security researchers, leading to several documented "Proof of Concept" (PoC) scripts being published on platforms like Exploit-DB. Mitigation and Lessons The fix for this specific exploit is straightforward: xampp for windows 746 exploit