Let’s be real… When it comes to open-source CMS platforms, WordPress and Drupal have dominated the web for years. They're flexible, powerful, and free to use. But with great popularity comes great vulnerability. From 2020 to 2025, these two giants have been the target of a series of high-profile attacks that have cost organisations dearly in both time and trust.

So, what went wrong? And more importantly, how do you make sure your organisation isn’t the next headline?

Let’s dive into the most notorious CMS security incidents from the past five years and unpack what they teach us about smarter, safer digital platforms.


WordPress: The Plugin Playground… and Its Pitfalls


September 2020 – File Manager Plugin Mayhem

A critical bug in the File Manager plugin (used by over 700,000 WordPress sites) allowed attackers to upload and run arbitrary code. 

The result? Hijacked sites, malicious redirects, and a whole lot of defaced homepages. All because a file management plugin included an outdated library that skipped authentication checks.

What went wrong: A third-party plugin flaw.

How could this have been avoided? A proprietary CMS like Adobe Experience Manager doesn’t rely on plug-and-play components. Core functionality is vendor-vetted, updated, and secured.

 

July 2022 – Kaswara Addons and the Ghost Plugin

The Kaswara Modern WPBakery Page Builder Addons plugin was abandoned by its developer, but thousands of sites were still using it. Attackers exploited a critical flaw that let them upload malicious files and take over sites, some of which started redirecting users to scam pages or worse.

What went wrong: Plugin was no longer maintained. Vulnerabilities were known, but unpatched.

How could this have been avoided? In a proprietary CMS, unsupported plugins aren’t part of the picture. Governance and quality control are baked in. When something breaks, there's a vendor on the hook to fix it.

 

September 2022 – The WPGateway Zero-Day

A zero-day in the WPGateway plugin let attackers create rogue admin accounts without a password. One click and your site was theirs. It hit over 280,000 WordPress sites.

What went wrong: A logic flaw in plugin authentication.

How could this have been avoided? Enterprise platforms like Sitecore have strict authentication flows. Admin access isn’t something you can spoof with a crafty header. Also, you’d typically be running behind enterprise firewalls and identity management systems, giving you layers of protection.

 

July 2023 – WooCommerce Payments Plugin Breach

Even the official WooCommerce Payments plugin wasn’t safe. A critical flaw allowed attackers to impersonate admin users and install backdoors. Despite an emergency patch, the exploit was reverse-engineered and used in mass attacks.

What went wrong: Authentication bypass due to a flaw in handling user identity headers.

How could this have been avoided? In a proprietary or closed-source ecosystem, payment modules undergo heavy scrutiny and centralised patching. Risky business logic like this simply doesn’t make it to production.

 

 

Less Bloat, More Boom: The Risk of Core Vulnerabilities in Drupal


November 2020 – Drupal Core RCE (Archive_Tar Library)

This wasn’t a plugin problem. This was a core Drupal vulnerability, affecting nearly a million sites. The issue stemmed from a third-party file handling library that allowed remote code execution via specially crafted archive files.

What went wrong: A vulnerability in Drupal core’s file upload system.

How could this have been avoided? By asking one simple question: Do I really need this plugin?

This incident is a classic case of third-party plugin risk — something open-source CMS users have to constantly stay on top of. The File Manager plugin, while handy, introduced critical functionality (file uploads, directory access, server-level control) with minimal hardening or oversight.

Whilst this could also happen within an enterprise CMS, it’s far less likely. Proprietary platforms don’t rely on external open-source libraries without rigorous testing. And when issues do arise, patches are pushed quickly, often before exploits surface.

What ties these security breaches together 

Spot the pattern? So did we. 

Whether it was a plugin in WordPress or a core flaw in Drupal, the pattern is clear: the open, decentralised nature of these platforms is both their greatest strength and their biggest weakness.

Sure, you get flexibility, but you also get risk. A plugin created by a solo developer in 2015 can still live on thousands of websites today, vulnerable and unmonitored. And because attackers can read the source code, they can easily reverse-engineer bugs and automate attacks.

 

The Enterprise CMS Advantage

Here’s where proprietary CMS platforms like Xperience by Kentico shine:

Fewer moving parts. Built-in functionality replaces hundreds of plugins.

Centralised governance. One vendor, one roadmap, one patch process.

Stronger quality assurance. Enterprise modules go through rigorous testing.

Faster response times. Security flaws are patched quickly, sometimes before they’re publicly known.

Fewer headlines. You rarely hear about enterprise CMS hacks in the news because they’re less frequent, better managed, and often stopped before mass exploitation occurs.

Cutting through the noise - Your CMS Reality Check 

Running your digital platform on WordPress or Drupal? You’re not alone, but you are exposed. 

If your organisation doesn’t have the time, skill, or budget to stay on top of updates, vet every plugin, and patch zero-days before breakfast, you might want to reconsider your tech stack.

At Dapth, we help organisations design and deliver digital ecosystems that are secure, scalable, and supported. Whether it’s through Kentico Xperience or custom enterprise solutions, we bring strategy and technology together to keep your digital presence sharp and safe.

Stay tuned for more insights or reach out if you’re ready to rethink your CMS strategy. Because in today’s digital world, security isn’t a nice-to-have, it’s non-negotiable.

 

Get in touch

We transform

Discover More insights.

One thing we won't apologise for? Our passion for the digital world.