It's been official for a while now: Drupal will adopt React.js to it's administration interface. This was announced shortly after the Vienna DrupalCon, a last of it's kind held in Europe for now.
A month after the Critical vunerability dubbed Drupalgeddon 2 hit, the expoit is now being actively exploited. Malicious attackers are using botnets to exploit Drupal at scale, most of which no longer deface the site or make their presence known at all.
Instead cracked Drupal installations are using worm like malware to take control of the server, or cluster of servers running Drupal. This allows the attackers to use the popular CMS as an attack tool, to make profit indirectly.
Drupal has had a bad first half of 2018 regarding security. Following Drupalgeddon 2 and the botnet exploits came a smaller update. This is now followed with a critical vulnerability (SA-CORE-2018-004) that allows remote code execution. The commit showing the made patches to Drupal 8.x is available online: 7bff52b3a15d
Several weeks after responsible hosters have patched their installations for Drupalgeddon 2, there are still many unpatched installations out there. Originally the vulnerabilities were unveiled in late March. After Checkpoint did their piece on uncovering Drupalgeddon 2, exploiters have activated on the issue.
tl;dr: The Cambridge Analytica site is using a version of Drupal that has an easy XSS exploit using vulnerability SA-CORE-2018-001.
Drupal is a content management system often used for Enterprise Content Management Projects. The tool is large and has integrated features such as a database entity system, which leaves it open to lots of attack vectors because of the large API surface.Without a central authority like Acquia handling security updates, things can be difficult to patch and there will be vulnerable installs as was the case with Drupalgeddon in 2014.