Name of the Vulnerable Software and Affected Versions: Ghost versions 3.18.0 through 4.15.0

Description: An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts by crafting a request to the relevant API endpoint, such as "POST /members/api/send-magic-link/", and validating the new address via a magic link sent to the new email address.

Recommendations: For Ghost versions 3.18.0 through 3.42.5, update to version 3.42.6 as soon as possible. For Ghost versions 4.0.0 through 4.15.0, update to version 4.15.1 as soon as possible. As a temporary workaround, consider blocking the POST /members/api/send-magic-link/ endpoint to prevent exploitation, although this will also disable member login and signup for the site.