Our production Drupal site is showing clear signs of two vulnerabilities—SQL injection and cross-site scripting. I have been able to trace some of the problem areas, but the investigation is only partially complete and I need a seasoned Drupal security specialist to finish the audit, patch every instance, and confirm that no attack vectors remain. Environment details • Drupal core only; there is no custom code or third-party module layer to contend with, so all issues should be within core configuration or outdated core files. • Access to staging and production servers, plus recent database snapshots, will be provided the moment the project starts. Scope of work 1. Complete a thorough security scan (manual review + preferred tools such as Drupal Security Review, OWASP ZAP, or your equivalent). 2. Pinpoint every SQL injection and XSS entry point left in the codebase or database. 3. Patch, update, or re-configure affected core files/settings, ensuring no functionality loss. 4. Provide a concise remediation report outlining: – Location of each vulnerability found – Exact fix applied – Recommended preventive measures for future deployments 5. Run final penetration tests to demonstrate that the site is clean and stable. Acceptance criteria • No detectable SQLi or XSS issues in automated scans and manual testing. • Site functionality intact across all existing user flows. • Final report delivered and approved. If this is within your wheelhouse, I’m ready to hand over server credentials and get the hardening started right away.