The world’s biggest companies may be in danger of getting hacked due to outdated WordPress and Drupal installations, just as it happened to law firm Mossack Fonseca, which was at the heart of the Panama Papers data breach.
This piece of information comes to us via US security firm RiskIQ, who decided to scan the world’s biggest companies from the FT30 index, and see who uses WordPress and Drupal CMSs as part of their Web presence, and how many of those installations are running on outdated versions.
Some of the companiesinclude big names such as British American Tobacco, GE, BP, British Gas, Vodafone, BAE Systems, Royal Bank of Scotland, GlaxoSmithKline, and many others.
Between 29 and 40 percent of CMS installations found to be insecure
The security researchers found 1,069 sites hosting either WordPress or Drupal, for which researchers managed to identify the CMS version in 773 setups.
Of the 773 CMSs, researchers found that 307 ran outdated versions for which there existed a known vulnerability (assigned CVE identifier). The number of vulnerable sites is around 40 percent, but if we take into account the sites that couldn’t be scanned, it goes down to 29 percent.
Taking into account that theis suspected of having occurred due to a combination of outdated WordPress and Drupal installations, these companies are literally playing with fire.
WordPress and Drupal have long been a favorite of target for hackers
While a broken CMS may not provide access to the company’s entire network, attackers can use it as an initial foothold for further attacks or reconnaissance operations.
Blocking access to the CMS’s changelog or other API endpoints is recommended for any company in order to minimize its digital footprint in the face of possible attacks.
Reports by other security companies likeand have also revealed that attackers have an affinity for targeting these two CMS technologies, especially the ones using older versions.
Sucuri has also recently reported about hackers still using a nineteen-months-old Drupal flaw calledto hack into Drupal sites to spread SEO spam.