ZDNet

A quarter of major CMSs use outdated MD5 as the default password hashing scheme

Some of the projects that use MD5 as the default method for storing user passwords include WordPress, osCommerce, SuiteCRM, miniBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, and X3cms.
Dark Reading

Moving Away From Rash Hashing Decisions

The past few years have been a bonanza for password breaches as poor deployment or nonexistent encryption practices combined with database and Web application vulnerabilities to SQL injection continue ...