Sites that run the Drupal content management system run the risk of being hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious code, managers of the open source project warned Wednesday.

CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, managers said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites. The flaw is rated highly critical.

"Some field types do not properly sanitize data from non-form sources," the advisory stated. "This can lead to arbitrary PHP code execution in some cases."

For a site to be vulnerable, one of the following conditions must be met:

It has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests or

It has another Web-services module enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7

Project managers are urging administrators of vulnerable websites to update at once. For sites running version 8.6.x, this involves upgrading to 8.6.10 and sites running 8.5.x or earlier upgrading to 8.5.11. Sites must also install any available security updates for contributed projects after updating the Drupal core. No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

Popular hacking target

Drupal is the third most-widely used CMS behind WordPress and Joomla. Drupal project leaders said the CMS as of this month was used by about 1.2 million sites, but they also say the estimate is "incomplete." Outside sources, for example here and here, calculate Drupal's usage is anywhere from 3 percent to 4 percent of all websites that run on CMSes. CVE-2019-6340 only affects an unknown subset of Drupal sites that project officials were unable to estimate.

While the precise figure is unknown, vulnerable Drupal sites number in the thousands, tens of thousands or possibly hundreds of thousands. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.

In 2014 and again last year , hackers wasted no time exploiting extremely critical code-execution vulnerabilities shortly after they were fixed by Drupal project leaders. Last year's "Drupalgeddon2" vulnerability was still being exploited six weeks after it was patched , an indication that many sites that run on Drupal failed to heed the urgent advice to patch.

At the time this post was going live, there were no reports of the latest Drupal vulnerability being actively exploited in the wild. On Friday, researchers detected signs hackers were scanning the Internet for potentially vulnerable sites, an indication that active exploit attempts may follow.

This post was updated to remove estimates that millions of sites are vulnerable. As explained in the fourth- and fifth-to last paragraphs, the number is unknown, but is almost certainly less than that.