Statamic CMS is vulnerable to a critical account takeover flaw where attackers can intercept password reset tokens to gain unauthorized access to valid user accounts.

The vulnerability exists in the password reset logic, allowing an unauthenticated attacker to capture a user's reset token. While the attack requires the attacker to know a target's email address and involves some user interaction, the technical flaw allows for a complete bypass of the intended authentication security.

With a CVSS score of 9.3, this vulnerability poses a significant risk to data integrity and confidentiality. Unauthorized access to a CMS can lead to website defacement, the injection of malicious scripts (Magecart-style attacks), or the theft of sensitive customer data. For organizations relying on Statamic for business operations, this could result in severe reputational damage.

Immediate Action: Update Statamic CMS to version 6.3.3 or 5.73.10 (depending on your major version branch) immediately to resolve the token capture flaw.

Proactive Monitoring: Audit user account logs for unexpected password changes or logins from unfamiliar geographic locations, especially following password reset requests.

Compensating Controls: Implement multi-factor authentication (MFA) for all CMS users, which would prevent account takeover even if a password is reset by an attacker.

Public Exploit Available: No

Account takeover vulnerabilities in web-facing applications are prime targets for automated attacks. We recommend that administrators apply the relevant security patches immediately. Furthermore, educating users to be wary of unsolicited password reset emails is a critical supplementary defense against this specific exploit vector.