Flaw takes advantage of query sanitiser designed to prevent code execution.
Drupal has patched against a critical SQL injection flaw that would have allowed hackers to remotely execute code on its content management system (CMS).
The bug exists in the application programming interface (API) for Drupal 7, taking advantage of a feature that was actually designed to prevent SQL injection through query sanitisation.
Dwayne Melancon, CTO at security company Tripwire, said: "The ever-increasing use of open source and third-party software components means this isn’t the last time we will see this kind of vulnerability – diligence is critical, and this is as much a supply chain issue as it is a technical one.
"This situation shares similarities with other recently discovered exploits such as ShellShock, Heartbleed, and the Poodle SSL vulnerability in that it is something that has been around for quite a while but just wasn’t known."
The flaw was originally reported to Drupal last November by user David Garcia, but had been overlooked until a private security audit picked up the issue.
Drupal has a 5.1% market share of the CMS market, according toweb tech surveyor W3Techs, less than rivals Joomla at 7.9% and WordPress at 61.1%.
"Encrypting the data in a database is not going to help preventing SQL injection vulnerabilities," said Guillermo Lafuente, a consultant at MWR InfoSecurity.
"However, if the contents of the database are encrypted then an attacker exploiting the issue who goes on to extract database content will not be able to see the cleartext data."