Home / Threat Intelligence bulletins / Ghost CMS authentication bypass vulnerability

Target Industry

Indiscriminate and opportunistic targeting.


Severity level: Critical – Exploitation of this vulnerability can allow attackers to launch phishing campaigns from vulnerable newsletters, resulting in reputation damage. Furthermore, this vulerability also introduces the possibility of Cross Site Scripting (XSS), allowing attackers to control affected sites.

A patch was released by the vendor on 28th November 2022.


Given the critical severity of the vulnerability, the projected impact is quite severe including reputation damage and loss of control of the site.

Vulnerability Detection

Ghost CMS was made aware of the vulnerability on 26th October, with the patch being released on 28th November.
The API endpoint ‘/members/api/member/’ is exposed to non-administrative users. However, this endpoint is indirectly related to the newsletter relationship allowing non-administrative users to create and modify all newsletter subscriptions. An extension of this allows non-administrative users to inject JavaScript into newsletters – a function thought to be reserved for administrators only.

Note that a non-administrative user in this context is any user that has signed up to a newsletter by supplying an email address.

Affected Products

Ghost versions 5.0.0-5.22.6
Ghost versions 4.46.0-4.48.7

Containment, Mitigations & Remediations

It is strongly recommended that customers who used Ghost CMS to publish articles and/or send newsletters update to the patched versions 5.22.7+ or 4.48.8+

Indicators of Compromise

API endpoint requests to ‘/members/api/member/’ with POST data referencing newsletters and changes to newsletters.

Threat Landscape

Ghost CMS is a free and open source Content Management System using widely in the US, the UK and Germany and is regarded as a simpler alternative to WordPress.

Mitre Methodologies

TA0042 – Resource Development
T1586.002) – Email Accounts
T1102 – Web Services
TA0004 – Privilege Escalation
T1548.002 – Bypass User Account Control

Further Information

Ghost CMS Github Advisories

Talos Intelligence Researchers

Intelligence Terminology Yardstick