On April 6, 2015, a bug bounty hunter named Stefan Horst published an SQL injection vulnerability that affected all the versions before Drupal 7.32.

The vulnerable query in Drupal is as follows:

    db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));

This statement could be made vulnerable by converting it to the following:

    SELECT * FROM users WHERE name IN (:name_test) -- , :name_test )

The vulnerability results in dumping the whole of the database, modifying the data contained in it, or dropping the information.