According to this article: Feds list the top 30 most-exploited vulnerabilities. Many are years old, older version of Drupal 7 and 8 is in the top 12 of list of softwares that are still being exploited by hackers.
This came as a surprise as i always thought most people or businesses keep their site up to date since security is a top priority.
Drupal with the flaw are version 7.57 and 8.5. The vulnerability is Remote Code Execution (CVE-2018-7600). A patch to fix this was released back in 28th March 2018.
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
I urge anyone still running any older version of Drupal to update now to latest version which are 7.82 and 8.9.17 (as of today).
How to update your site? please read this documentation
If you do not know how to update your Drupal site, it is worth spending little investment to hire a Drupal developer or Drupal company to get the job done. I also offer Drupal services so contact me if you need help.