CMS Vulnerability Scanner
loginThis tool actively probes a target for vulnerabilities. Running it without verifying the user owns or has permission to test the target is indistinguishable from attack tooling, so it requires authorization.
This tool isn't available in the anonymous view. Sign in to access it.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What CMSes does droopescan support?
Droopescan supports Drupal, SilverStripe, Moodle, Joomla, and WordPress. It detects the installed version by fingerprinting assets and changelog files, then cross-references against a database of known vulnerabilities for that version.
What does it check for?
Installed CMS version, enabled modules/plugins and their versions, known CVEs for detected components, default admin paths, and common misconfigurations. For Drupal in particular, it identifies which modules are enabled and whether any are at vulnerable versions — critical given Drupal's history of severe RCE vulnerabilities (Drupalgeddon series).