"Popular open source Content Management Systems (CMSs) like
Drupal, Joomla! and WordPress, are regularly subject to source code
reviews as well as blackbox pentesting. Thus, vulnerabilities in
these systems are quickly identified and fixed. And security
updates are frequently released. Unfortunately, people tend to
install the base CMS, add plugins, build their website and then
never upgrade when security patches are available. Furthermore,
third party developed plugins usually extend the offender's attack
surface and expose the CMS-based website to new threats.
"During pentests, and facing a CMS based website, I often look
for open source security tools that are targeted specifically at
the CMS in question. These tools usually excel at fingerprinting
the CMS version used by the target, detecting installed
plugins/themes, and identifying corresponding vulnerabilities.