Skip to main content

Hackers could attack 1 million websites in a content management system flaw

A vulnerability discovered in a popular content management system could leave nearly 1 million websites open to attack if left unpatched. The developers behind the content management system, Drupal, label the issue as “highly critical” because the vulnerability enables various attack points and could grant hackers complete control of a website. The vulnerability exists within Drupal 6.x, Drupal 7.x, and Drupal 8.x.  

A content management system is the backbone of a website. It’s a database that stores and manage all digital input, including articles, images, photos, and more. Most content management system layouts provide a friendly interface for inserting content along with the necessary search engine optimization fields to get the resulting webpage noticed on Google, Yahoo, Bing, and so on. 

Recommended Videos

Drupal is just one of many content management systems to manage pages and media across a website. A few other systems include WordPress, Joomla, and Kentico while many websites simply rely on an in-house content management system for the highest level of customization and security.  

Please enable Javascript to view this content

Jasper Mattsson of development house Druid found the vulnerability in Drupal, dubbed as SA-CORE-2018-002, as part of Drupal’s routine security examination. The Drupal team doesn’t go into specifics but merely state that hackers could compromise a Drupal-based site. So far, there is no known exploit to take advantage of this vulnerability, thus site-based sabotage is merely theoretical for now. 

Based on the company’s in-house scoring system, here is what the vulnerability covers: 

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

“Note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change,” the Drupal team states. “The Security Team strongly recommends that the best solution is for sites to upgrade.” 

Finally, here is  Drupal’s update schedule to fix the vulnerability: 

Version  Status  Solution 
Drupal 6.x 

End of Life 

Contact a D6LTS vendor 

Drupal 7.x 

Active 

Upgrade to Drupal 7.58 or
install this patch. 

Drupal 8.3.x 

Not supported 

Upgrade to Drupal 8.3.9 or
install this patch. 

Drupal 8.4.x 

Not supported 

Upgrade to Drupal 8.4.6 or
install this patch. 

Drupal 8.5.x 

Active 

Upgrade to Drupal 8.5.1 or
install this patch. 

 “Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases,” the team adds. “However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.” 

According to BuiltWith, 37 percent of the websites using a content management system rely on WordPress followed by Drupal at nine percent and Google’s Search Appliance at three percent. The stats also show that Drupal powers 928,443 sites while WordPress backs 19,883,677 websites, or 5.3 percent of the entire internet, as of April 2.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Snap up this Lenovo 23.8-inch monitor deal and gain more screen space
The Lenovo ThinkVision 23.8-inch monitor on a white background.

For great monitor deals, check out what Lenovo has to offer. Today, you can buy the Lenovo ThinkVision 23.8-inch monitor for $299. It’s a well-designed monitor with some great features for anyone looking to expand their working environment for less. Here’s what it has to offer and why you might want to buy it.

Why you should buy the Lenovo ThinkVision 23.8-inch monitor
Lenovo isn’t a name you’ll see among the best monitors, but don’t let that put you off -- Lenovo is a reliable brand. With the Lenovo ThinkVision 23.8-inch monitor, you get a 23.8-inch full HD IPS panel that provides a wide color gamut of 99% sRGB. That means fantastic color accuracy even from wide angles. The monitor also has a 3-side NearEdgeless bezel design, so there are fewer distractions, and it looks good while taking up less room.

Read more
Nvidia’s RTX 5090 struggles to run Cyberpunk 2077 at 30 fps
Nvidia's RTX 5090 sitting at CES 2025.

Nvidia makes some of the best graphics cards, but Deep Learning Super Sampling (DLSS) is an increasingly big part of what makes them great. This can be seen very clearly in a new RTX 5090 gaming test, in which the behemoth flagship couldn't even maintain an average of 30 frames per second (fps) in Cyberpunk 2077 at maximum settings when DLSS was toggled off.

YouTuber PC Centric got to take the RTX 5090 for a quick spin at CES 2025, and while the GPU breezed through 4K gameplay at max settings with path tracing enabled, this was only true with DLSS in the picture.

Read more
AMD flagship GPUs to make a comeback with RDNA successor
AMD Radeon RX 7900 XTX hovers over a raging fire.

A recent leak on the Chiphell forums has revealed AMD's ambitious plans for its upcoming CPU and GPU architectures. According to a post by forum member zhangzhonghao, AMD is preparing to utilize TSMC’s cutting-edge N3E process node for its next-generation Radeon GPUs and potentially for some of its future CPUs.

The leak highlights the development of GPUs based on the new UDNA architecture, which will succeed the current RDNA. These GPUs are expected to include a flagship model capable of competing with Nvidia’s top-tier GeForce RTX cards, addressing the lack of a high-end option in AMD’s current RDNA 4 lineup.

Read more