Beyond CSRF, version 4.9.5 often serves as a gateway for SQL injection if the underlying PHP environment or specific plugins are outdated. In a typical exploit, an attacker may use a vulnerable endpoint within the phpMyAdmin transformation feature or the setup script to inject arbitrary SQL commands. If successful, this bypasses the standard authentication layers, granting the attacker direct access to the database "heart." This can lead to total data exfiltration or the installation of web shells, which allow for persistent remote access to the entire web server.
When a higher-privileged user (like a database admin) interacted with that input, the malicious code would run with the admin's permissions, potentially allowing the attacker to steal data or modify other user accounts. The Patch: The phpMyAdmin team released phpmyadmin 4.9.5 exploit
How do SQL injection attacks like the one in CVE-2020-10804 work? Vulnerability Details : CVE-2020-5504 Beyond CSRF, version 4