Skip to main content
← All controls
CIS-7.2 / SI-2 CIS Controls v8

CMS patching and updates

Demonstrate that all CMS platforms, core software, plugins, themes, and extensions are identified, tracked, and updated according to a documented patch management schedule with testing protocols and rollback procedures in place.

Description

What this control does

This control ensures that Content Management Systems (CMS) such as WordPress, Drupal, Joomla, and their associated plugins, themes, and core modules are systematically patched and updated to address known vulnerabilities. Organizations must maintain inventories of all CMS instances, track version information, apply security patches within defined timeframes, and test updates in non-production environments before deployment. CMS platforms are frequent targets for attackers exploiting unpatched vulnerabilities, making timely updates critical to prevent website defacement, data breaches, and server compromise.

Control objective

What auditing this proves

Demonstrate that all CMS platforms, core software, plugins, themes, and extensions are identified, tracked, and updated according to a documented patch management schedule with testing protocols and rollback procedures in place.

Associated risks

Risks this control addresses

  • Attackers exploit known vulnerabilities in outdated CMS core software to gain administrative access or execute remote code
  • Unpatched third-party plugins and themes serve as entry points for automated scanning tools and mass exploitation campaigns
  • Zero-day vulnerabilities remain exploitable longer due to lack of monitoring for emergency security updates and advisories
  • CMS compromise leads to injection of malicious scripts, SEO spam, or drive-by download attacks affecting website visitors
  • Database exfiltration through SQL injection vulnerabilities in outdated CMS extensions exposes customer and business data
  • Outdated CMS instances provide persistent backdoors for attackers to maintain access even after initial breach detection
  • Lack of testing before update deployment causes production outages or functionality breaks during emergency patching

Live threat patterns this control mitigates:

HIGH Website Defacement Campaign Ongoing pattern of website defacements where attackers replace site content to push a political or trophy message. Implies… HIGH Threat Actor Targets Public Website A named hacktivist group or hostile actor publicly claims attack against an organisation's website. Whether the attack succeeds…

Testing procedure

How an auditor verifies this control

  1. Request and review the CMS inventory listing all production and non-production instances including platform type, version numbers, hosting locations, and responsible teams.
  2. Obtain the CMS patch management policy and procedures documenting update schedules, testing requirements, approval workflows, and maximum remediation timeframes for critical vulnerabilities.
  3. Select a representative sample of 10-15 CMS instances spanning different platforms and business units from the inventory.
  4. Log into each sampled CMS administrative interface and document the current version of core software, installed plugins, themes, and extensions.
  5. Compare documented versions against vendor security advisory databases and CVE records to identify known vulnerabilities and available patches.
  6. Review change management tickets and maintenance logs for the past 90 days to verify patching frequency, testing documentation, and adherence to defined timelines.
  7. Interview CMS administrators to confirm subscription to security mailing lists, use of automated update monitoring tools, and procedures for emergency out-of-band patching.
  8. Examine non-production environment configurations to verify test instances exist with representative data for validating updates before production deployment.
Evidence required CMS inventory spreadsheet or CMDB export with version details; patch management policy document; screenshots of CMS dashboards showing version information for core, plugins, and themes; change management tickets showing update approvals and deployment dates; security advisory subscription confirmations; testing checklists or test case documentation; patch deployment logs or automation tool reports showing successful update execution.
Pass criteria All sampled CMS instances run current or n-1 versions with no critical or high-severity unpatched vulnerabilities older than the policy-defined remediation timeframe, documented evidence shows testing occurred before production deployment, and administrators demonstrate active monitoring of security advisories.