CVE-2025-56556: 
PHP vulnerability analysis and mitigation

An issue was discovered in Subrion CMS 4.2.1 that allows authenticated administrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel to gain escalated privileges. The vulnerability was disclosed on September 11, 2025, and has been assigned CVE-2025-56556. The vulnerability has received a CVSS v3.1 base score of 6.5 (Medium) (NVD).

The vulnerability exists in the SQL Tool admin panel's query execution feature where moderator-level users can execute unrestricted SQL queries, including Data Definition Language (DDL) and privileged operations. The issue stems from improper access control mechanisms that fail to restrict the types of SQL queries that can be executed by moderator roles. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity (AttackerKB).

The vulnerability allows attackers with moderator-level access to escalate privileges to full MySQL root-equivalent access, add or remove users in the database, and delete entire database tables. This could lead to complete database compromise and unauthorized administrative access (GitHub Issue).

The recommended mitigations include implementing role-based query restrictions to prevent moderator roles from executing high-privilege queries such as CREATE USER, GRANT, DROP USER, and DROP TABLE. Additionally, implementing a whitelist-based query filter that only allows predefined safe SQL statements (SELECT, INSERT, UPDATE, SET, WHERE, ORDER BY, GROUP BY, LIMIT, !=, LIKE) is advised (GitHub Issue).