Arbitrary SQL queries can be executed by any user that can edit a PHPWiki page in a project.

Impact

An authenticated attacker could execute arbitrary SQL queries.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Exploitation

Create a PHPWiki page and put something like <?plugin SqlResult alias=phpwiki SELECT SLEEP(10) ?> in it. The generation of the page will end up with a fatal error after 10 seconds.