Late last year, CSO Online reported on a vulnerability in Drupal that could have left thousands of websites compromised. Last week, researchers examined the attack in more detail, measuring the time it would take to compromise a website completely.
On October 15, 2014, Drupal urged users to apply an update that fixed an SQL Injection vulnerability. Unfortunately, unless the patch was applied within a seven hour window, Drupal warned administrators that they should just assume installations in the Drupal 7.x branch before version 7.32 were already compromised.