The Ghost Content Management System has a significant security vulnerability that allows attackers to gain control of admin accounts, including taking over the entire site. This is due to a DOM-based Cross-Site Scripting (XSS) issue in the theme preview feature, which was introduced in version 4.0.0 and fixed in version 4.3.3. The vulnerability can be exploited by visiting a malicious link while logged in, allowing attackers to create new admin accounts without the victim's notice. To avoid such issues during development, it is recommended to validate the origin of cross-origin message events and reject any messages that come from unknown origins. A patch was released by the vendor in version 4.3.3, and users are advised to update to this version or later to ensure their Ghost instance is secure.