External Threat Management

Does Your Content Management Systems (CMS) Make You Vulnerable? We Tapped the FTSE-30 to Find Out

As the Panama Papers saga rolls on, it’s worth taking the opportunity to revisit a couple of the security exposures that may have led to the exfiltration of terabytes of highly sensitive information—and how those vulnerabilities could result in a successful breach in your organization.

At the time of writing, there has been no official disclosure of how the leak occurred, whether it was an inside job or the result of a successful breach. However, during the aftermath of the foundation-shaking story, the security research community has commented on the poor state of security of Mossack Fonseca (the law firm targeted in the attack), and its IT systems. The firm had numerous vulnerabilities that could have offered the attacker a wide berth of entrance into its network, including outdated versions of their Drupal and WordPress Content Management Systems (CMS).

CMS vulnerabilities are a common denominator of many of the successful attacks we read about. With the ubiquitous nature of CMSs in driving the web experience, potential risks lurk for virtually all organizations. According to W3 Techs’ Web Technology Surveys, 65 percent of all websites using a CMS use WordPress or Drupal, which use open-source code that's available to all—including malicious actors looking for exposures to exploit. The size of the WordPress and Drupal communities compounds the problem, as almost every vulnerability is found and publicized, many of which threat actors exploit before the good guys can patch them.

Smaller organizations may not fully appreciate the risks associated with unpatched applications and infrastructure, or may struggle with limited resources to keep systems up to date. But what about large organizations? To find out if the situation is any better at firms with dedicated security teams and significant IT resources, RiskIQ conducted research across the FTSE-30, looking specifically at WordPress and Drupal instances visible on the open web. The results show that large organizations are facing the same challenges as smaller ones in keeping their CMSs patched.

Across the publicly accessible websites of the FTSE-30, we found 1,069 sites hosting either WordPress or Drupal, 773 of which we were able to identify the version. The other 296 have disabled public access to their CHANGELOG.txt, so their version was unknown. Of the 773 sites with known versions, 307 have known vulnerabilities referenced in one or more CVEs, which represents 40 percent of the total number of sites where the version is known and 29 percent of the total. The real percentage of vulnerable CMS instances lies somewhere in between.


CMSs' role in driving customer engagement, from product information to ongoing communications to support is undisputed. However, in many cases, CMSs are not tier 1 applications set up and supported by central IT, which all too often results in a "setup and forget" approach. Keeping a watchful eye on CMS instances is important to the overall security posture of any organization.

RiskIQ Insights can give security teams visibility into their organization's digital footprint, including the third-party components used on their corporate websites. To learn more about this study and get the scoop on your company's Digital Footprint, contact RiskIQ today.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor