Two of the most often-used open source content management systems, Drupal and WordPress, have new vulnerabilities that can affect millions of websites. For the first time, the two CMS teams are coordinating to release a joint security system to fix the new software flaw.

According to EWeek, the flaw was discovered by Nir Goldshlager, a Salesforce.com researcher. He found that with a few simple keystrokes, a WordPress or Drupal website could be taken down easily.

The flaw is a potential denial of service (DoS) issue with the XML processing module of PHP, which is used by both WordPress and Drupal. The flaw is highlighted because U.S. government sites including WhiteHouse.gov use Drupal. On the other hand, there are over 60 million sites that use WordPress.

Goldshlager explained that the vulnerability can be employed without using any plug-ins and works seamlessly in the default installation of the two CMS. He added that even one machine could be used to exploit the particular flaw.

He discovered the flaw by building a site-killing hack using the modified version of the XML Quadratic Blowup Attack. The file tricks a server into parsing a big number of variables for an infinite number of times, which leads to the server working too hard until it reaches a server-crash state.

Goldshlager said that he released the details of the hack he built to the companies most likely to be affected by an attack before he released the discovery for publication. Drupal and WordPress have released the updates to plug the flaw but it is still up to the users of these two CMS to use them on their sites.

Therefore, it is advised that Drupal and WordPress website users should update their sites immediately. The XML vulnerability that has been found affects the default installations of Drupal or WordPress as well as Drupal versions 6.x to 7.x and WordPress versions 3.5 up to the most current one. Users should visit Drupal or WordPress site to get the update.