700+ Ghost CMS Sites Hit By Click Fix Attack #cybersecurity #crypto #news

700+ Ghost CMS Sites Hit By Click Fix Attack

Wordfence Security News Clip | May 25, 2026

📺 Subscribe to the Wordfence Security News weekly podcast: https://www.youtube.com/playlist?list=PL1tmvSub1Gq577ZAHXWRyjUW3TAU8lQKW

More than 700 Ghost CMS sites have been compromised in an active ClickFix exploitation campaign, including sites associated with Harvard University, Oxford University, Auburn University, and DuckDuckGo.

The exploited vulnerability is a critical SQL injection flaw affecting Ghost CMS versions 3.24.0 through 6.19.0.

A patch was released in February 2026 in version 6.19.1.

Nicholas Carlini at Anthropic discovered the flaw while testing Claude Opus 4.6, having targeted Ghost specifically because of its strong security track record.

Within 90 minutes, Claude identified a blind SQL injection in Ghost's content API and used it to extract the admin API key from the database.

Anthropic disclosed the vulnerability to Ghost on February 16th, and Ghost published a fix within days.

The attack works in stages: an unauthenticated attacker sends a crafted request to Ghost's public content API, the SQL injection extracts the admin API key, and the attacker then calls Ghost's legitimate admin API to modify article content directly.

Attackers inject a malicious JavaScript loader into articles. When a real user visits, a cloaking script filters out bots and redirects visitors to a fake Cloudflare verification page that instructs them to run a command via Win+R - silently installing malware.

A DLL in the malware payload carries a compilation timestamp of February 16th - the same day Anthropic reported the vulnerability - suggesting campaign preparation began very early, though mass exploitation was not detected until May.

Ghost operators should update to version 6.19.1 or later, rotate admin API keys, and audit article content for injected JavaScript.

00:00 Intro
00:14 Impact
00:31 Discovery
01:02 Technical Detail
01:51 ClickFix Attack
02:04 Timeline
02:21 Action

🛡️ Get Wordfence: https://www.wordfence.com/products/pricing/
🔵 Try Wordfence Central - https://www.wordfence.com/help/central/
⭐ Wordfence is Trusted by over 5 Million Websites

📰 Story Links:
• 700+ Ghost CMS Sites Hacked in ClickFix Campaign: https://github.com/advisories/GHSA-w52v-v783-gw97

🔗 Get Wordfence today: https://www.wordfence.com/
🔐 Learn more about WordPress security: https://www.wordfence.com/learn/

#WordPress #WordPressSecurity #WordPressCommunity #WordPressNews #CyberSecurity #InfoSec #WebSecurity #PluginSecurity #VulnerabilityAlert #Wordfence

===== Protect Your Site With Wordfence =====

✅ Get Wordfence Free: https://www.wordfence.com/products/wordfence-free/
✅ Get Wordfence Premium: https://www.wordfence.com/products/wordfence-premium/
✅ Get Wordfence Care: https://www.wordfence.com/products/wordfence-care/
✅ Get Wordfence Response: https://www.wordfence.com/products/wordfence-response/

📝 Wordfence Audit Log:
All premium Wordfence plans include access to the Wordfence Audit Log -- capturing, securely storing, and protecting important security events for forensic analysis.

🔵 Connect Your Sites To Wordfence Central:
https://www.wordfence.com/help/central/
Manage all your WordPress sites from one centralized dashboard.

💸 Want to earn money promoting Wordfence? Join the Wordfence Affiliate Program:
👉 Learn more: https://www.youtube.com/watch?v=t4REbBmcuWQ
👉 Join: https://www.wordfence.com/affiliate

🐞 Earn money via our Bug Bounty Program:
Find vulnerabilities in WordPress plugins and themes and get rewarded!
👉 Join: https://www.wordfence.com/refer/youtube

Join the WordPress Security discussion on Reddit in r/Wordfence:
https://www.reddit.com/r/wordfence/

Видео 700+ Ghost CMS Sites Hit By Click Fix Attack #cybersecurity #crypto #news канала Wordfence