An unauthenticated blind SQL injection vulnerability in Payload CMS allows attackers to steal sensitive data and take over administrative accounts.

User input provided during queries of JSON or richText fields is directly embedded into SQL statements without proper escaping. This allows an unauthenticated attacker to perform blind SQL injection to exfiltrate data such as emails and password reset tokens.

The ability to extract password reset tokens allows for full account takeover without the need for password cracking. With a CVSS score of 9.8, this vulnerability poses a critical risk to data confidentiality and can lead to the total compromise of the CMS and its hosted content.

Immediate Action: Update Payload CMS to version 3.73.0 or later immediately to ensure all database queries are properly parameterized.

Proactive Monitoring: Review database logs for unusual query patterns or a high frequency of boolean-based or time-based SQL syntax in JSON field filters.

Compensating Controls: Utilize a Web Application Firewall (WAF) with SQL injection protection rules enabled to detect and block malicious query attempts.

Public Exploit Available: No

The risk of unauthenticated account takeover makes this a critical priority. Administrators should apply the update to version 3.73.0 immediately to protect sensitive user data and maintain control over their content management system.