2024 CMS Vulnerability Report
In 2024, the most widely used traditional CMS platforms included WordPress, Drupal, Umbraco, and Sitecore, collectively powering a significant portion of the web.
Despite their popularity, these platforms faced critical security challenges that left many businesses vulnerable to cyber threats. A primary issue stems from their reliance on regular updates to remain secure and the extensive use of third-party plugins to add functionality. If the core platform or plugins are not promptly updated, vulnerabilities can quickly emerge, and in some cases, platform updates must wait until plugins are made compatible, further delaying critical fixes.
Report Index
WordPress
In 2024, WordPress maintained its position as the most popular content management system (CMS). Its market share increased from 43.1% in 2023 to 43.6% in 2024, indicating a continued growth in adoption.
Being the most popular CMS, is particularly appealing to hackers. In 2024, it was estimated to power approximately 43 percent of all websites globally, over 472 million sites. This dominance makes it a prime target, amplifying the risks associated with traditional CMS platforms.
In 2024, there were a number of critical vulnerabilities were identified in popular WordPress plugins, posing significant security risks to millions of websites. Notable instances include:
LiteSpeed Cache Plugin: A critical flaw (CVE-2024-28000) in this plugin, used by 6M+ sites, allowed attackers to gain admin access. Patched in version 6.4.
Really Simple Security Plugin: An authentication bypass flaw (CVE-2024-10924) with a CVSS score of 9.8 enabled attackers to log in as admins. Fixed in version 9.1.2.
Anti-Spam by CleanTalk: Two vulnerabilities (CVE-2024-10542, CVE-2024-10781) allowed attackers to install plugins or execute code. Patched in versions 6.44 and 6.45.
GiveWP Plugin: A critical PHP Object Injection flaw (CVE-2024-5932) with a CVSS score of 10.0 affected 100K+ sites, allowing remote code execution. Fixed in version 3.14.2.
WordPress was highly proactive in releasing numerous updates throughout 2024 to address security issues. However, despite their efforts to promptly resolve vulnerabilities, the total number of vulnerabilities increased over the year. A significant challenge for WordPress remains its heavy reliance on third-party plugins and themes, which often introduce additional security risks.
A critical vulnerability was identified right at the start of 2025 in the widely used WordPress backup plugin, Updraft Plus, installed on over 3 million websites. This flaw could allow unauthenticated attackers to carry out malicious attacks.
Adding to WordPress’s challenges, the “WordPress drama” of 2024 centred on a legal dispute between Automattic, the company behind WordPress.com, and WP Engine, a major hosting provider. The conflict began when Automattic decided to create a new version (fork) of Advanced Custom Fields (ACF), a popular plugin owned by WP Engine. Automattic claimed the fork was necessary to ensure the plugin remained widely accessible, but WP Engine viewed it as an overreach and an attempt to assert control over their product.
The dispute escalated into a lawsuit, with WP Engine accusing Automattic of trying to dominate the WordPress ecosystem. This division also split the WordPress community, some supported Automattic’s efforts to preserve open access, while others felt the move contradicted WordPress’s open-source principles.
This controversy underscores broader challenges for WordPress, balancing its open-source roots with the commercial interests of the companies that rely on it. With WordPress powering such a significant share of the web, these disputes do not just affect the platform, they impact millions of businesses, raising important questions about its future governance and direction.
Drupal
In 2024, Drupal experienced a decline in popularity, with its market share dropping by approximately 28% compared to 2023, decreasing from 1.3% to 0.9% of all websites.
This decline reflects a broader trend favouring more user-friendly platforms, which have gained traction due to their intuitive interfaces and extensive plugin ecosystems. However, Drupal remains a strong choice for complex, high-traffic websites, especially in sectors such as government, education, and media, where its flexibility and robust features continue to be highly valued.
Throughout 2024, Drupal issued several critical security updates.
XSS Vulnerability: Found in the Overlay module of Drupal 7, allowing attackers to inject malicious scripts. Patched promptly.
Access Bypass: Inconsistent checks for user fields let multiple users register with the same email, risking data integrity. Fixed in updates.
Denial of Service (DoS): A flaw in the Comment module enabled attackers to disrupt site availability with specific requests.
PHP Object Injection: Vulnerabilities that could lead to remote code execution or file deletion if exploited with unsafe input. Addressed in updates.
Although the official count of vulnerabilities for the year has yet to be finalised, reports suggest the number rose to approximately 450–500.
Umbraco
In 2024, Umbraco’s popularity remained steady, holding a market share of less than 0.1% among content management systems. Despite its niche standing, it remains a preferred choice for developers due to its flexibility and strong integration capabilities within the Microsoft ecosystem.
Umbraco benefits from the security features of the .NET framework and the closed nature of the .NET ecosystem, which provides a reduced exposure to vulnerabilities compared to open-source PHP platforms like WordPress.
In 2024, vulnerabilities increased significantly, with several critical security issues demanding immediate action.
CVE-2024-29035: Webhook logs exposed critical information even when not in debug mode. Fixed in version 13.1.1.
CVE-2024-47819: XSS vulnerability in versions 14.0.0 to 14.3.1 and 15.0.0 allowed privilege escalation. Patched in 14.3.1 and 15.0.0.
CVE-2024-48929: Incomplete session termination left accounts vulnerable. Resolved in versions 13.5.2 and 10.8.7.
October 22, 2024: Patches addressed four medium-severity issues across multiple versions.
As with any traditional CMS, the security of Umbraco relies heavily on proper configuration and the prompt application of updates. While third-party plugins and extensions enhance functionality, they can pose security risks if not thoroughly vetted.
The main security risk with Umbraco is that many users continue to run versions that have reached end-of-life, such as Umbraco 7, with no straightforward upgrade path to newer versions. These outdated versions no longer receive security updates, leaving them highly vulnerable to potential threats, a serious concern for any business.
Umbraco 7: Reached end of life (EOL) on September 30, 2023 and has stopped receiving updates, including security patches.
Umbraco 8: Entered the security-only phase on February 24, 2024, and is scheduled to reach EOL on February 24, 2025.
Umbraco 10: A Long-Term Support (LTS) version, it will reach EOL on June 16, 2025.
Umbraco 13: An LTS release, it is expected to reach EOL on December 14, 2026
If your website is running a version nearing end of life, it’s essential to start planning now. This could involve upgrading to a supported version or transitioning to an alternative platform.
Sitecore
In 2024, Sitecore’s popularity appeared to grow, with its annual recurring revenue exceeding $500 million.
Unlike WordPress, Drupal, and Umbraco, Sitecore is a premium, paid solution designed exclusively for enterprise-level customers.
Continuing the trend, 2024 saw a rise in Sitecore vulnerabilities, including several critical security issues that demanded immediate attention.
CVE-2024-46938: Arbitrary file read vulnerability in Sitecore XP/XM/XC (versions 8.0–10.4), potentially leading to remote code execution. Fixed in August 2024.
XSS Vulnerability: Affected the hdl parameter in Sitecore Identity Server for versions before 10.3, allowing malicious script injection. Addressed in April 2024.
Similar to Umbraco the main security risk with Sitecore is users stuck on end of life versions, unable to easily upgrade down to both the code and the substantial cost.
As of January 2025, the following Sitecore versions are approaching their end-of-life (EOL):
Sitecore 10.0 and 10.1: Mainstream support for these versions concluded on December 31, 2023. They have now entered the Extended Support phase, which will end on December 31, 2026. After this date, they will transition to Sustaining Support until December 31, 2028.
Sitecore 9.3 and 9.2: Currently in Extended Support, which is scheduled to end on December 31, 2025. Subsequently, they will move to Sustaining Support until December 31, 2027.
During the Extended Support phase, Sitecore only provides critical security updates, with no new features or regular bug fixes. Once a version transitions to Sustaining Support, assistance becomes limited, and no updates are issued.
If your website is running a version nearing end of life, it’s essential to start planning now. This could involve upgrading to a supported version or transitioning to an alternative platform.
Closing thoughts
Building on the trend from the previous year, 2024 has been a notable year for CMS vulnerabilities, with WordPress unsurprisingly accounting for the largest share due to its widespread popularity.
When reviewing the graph, the sheer volume of vulnerabilities in WordPress may overshadow those found in Drupal, Umbraco, and Sitecore. However, it’s essential not to underestimate the risks associated with these platforms. All four CMS platforms have seen a rise in vulnerabilities, each requiring prompt updates to maintain security.
While keeping any CMS fully updated is critical for security, the real challenge lies in consistently managing updates. Often, updates are delayed because a plugin must be updated first, creating a window of vulnerability for your site.
An increasing trend we’ve noticed with new business enquiries is organisations stuck on outdated CMS versions, many of which have already reached or are nearing end-of-life. This is especially common among Umbraco and Sitecore users, leaving their websites exposed and requiring a clear upgrade path.
In conclusion, if you’re using a traditional CMS, ensuring your website’s safety depends on consistently running the latest, most up-to-date version. It’s essential to have a proactive plan to regularly check for updates for both the CMS and its plugins. If updating promptly to the latest version isn’t feasible, it may be time to explore alternative solutions.
If you’re concerned about the security of your CMS or are using a version approaching end-of-life, we’re here to help.
At Anything, we’ve spent over a decade specialising in Headless CMS solutions, offering a seamless approach that eliminates the need for manual CMS updates. We use Storyblok CMS, a cloud-based platform that updates automatically to ensure optimal security. With ISO 27001 certification, Storyblok provides enterprise-class security for complete peace of mind for your site’s safety and compliance. Plus, we’ll take care of the entire migration process for you.
To learn more or to book a free demonstration of Storyblok, please get in touch.
Book a 30 minute Headless CMS demonstration
With our Technical Director, Jono Brain
Secure Headless CMS Solutions