Large-Scale ClickFix Campaign Exploits Ghost CMS SQL Injection Flaw

Critical SQL Injection Flaw Exposed in Large-Scale Campaign Targets Ghost CMS Websites

A significant vulnerability in Ghost CMS has been exploited in a large-scale campaign, compromising over 700 domains across various industries. Researchers at XLab identified the issue, which affects versions 3.24.0 through 6.19.0 of the content management system.

• The flaw, designated as CVE-2026-26980, enables unauthenticated attackers to read arbitrary data from the website database, including administrative API keys.
• These API keys grant management access to users, articles, and themes, allowing malicious actors to manipulate article pages.
• Despite a patch release on February 19, many sites failed to apply the security update, leaving them vulnerable to exploitation.

Attack Methodology

Attackers were observed employing a multi-step process to infect compromised sites:

• First, they utilized the SQL injection vulnerability to obtain the administrative API keys.
• Subsequently, they leveraged the elevated privileges to inject malicious JavaScript code into articles.
• This code serves as a lightweight loader, fetching additional instructions from the attacker’s infrastructure.

Mitigation and Recommendations

To mitigate the risk, Ghost CMS website administrators must:

• Immediately upgrade to version 6.19.1 or later
• Rotate all previously used keys, as they may have been compromised
• Perform a thorough review of websites to identify and remove injected scripts
• Maintain a 30-day record of administrative API call logs to facilitate a reliable retrospective investigation

XLab recommends that website administrators take immediate action to secure their sites against this vulnerability, emphasizing the importance of regular updates and security patches, as well as vigilant monitoring of potential threats.

About Author

Anuj

See author's posts