A CMS would need to send email so that it can reset passwords, just as an example. Again, as the parent has said, the failing here is not that the CMS is provided with email credentials - that's very common for all but the simplest CMS, but that it didn't separate and limit the accounts properly
Drupal was apparently where the CRM was handled, including the posting of documents and so forth. The use-case you mention seems to be something that should be handled by the Drupal site.
Though I guess this speculation is just moot. The severity of the Drupal flaw would seemingly allow access to whatever Drupal uses to talk to the email server. That the WordPress server used the same email server and had the same access is just coincidence, another example of careless IT by MF, not that MF was necessarily using WordPress as a client-serving site.
