Drupal is calling on its users to patch a dangerous remote code execution hole that can let attackers easily hijack sites.
The content management system has some 15 million downloads, compared to WordPress on 140 million and Joomla with 30 million, but is used on big ticket and business sites including nine percent of the world's 10,000 most popular sites.
The remote code execution hole lies in Drupal modules used by about 14,000 websites.
"The modules contains a remote code execution which could allow an attacker to completely take over the site using some specially crafted requests," say Drupal security wonks.
"The weakness could be exploited to take a variety of actions on the site, potentially including completely taking over the site and server.
"Any site visitor could exploit the vulnerability."
Affected modules include the RESTWS module which is used to create Rest APIs and is installed on some 5804 sites. The remote code execution flaw was found by Devin Zuczek (@djdevin) and is rated highly critical.
The Coder module used by at least 4951 sites for code analysis is also affected by the remote code execution flaw, found by NCC researcher Nick Bloor (@nickstadb) and rated highly-critical because it does not need to be enabled in order to be exploitable.
Webform Multiple File Upload module is the last affected module which some 3076 sites use to collect files from users. That critical flaw was discovered by Australian Drupal security man Ben Dougherty(@_benjy1).
Drupal has more than 30,000 developers who have contributed more than 33,000 modules. ®