Re: https://www.virustotal.com/nl/url/67a62a9af440dfc095be7e2efea960018adfedf6dafafa12c74c5582782549cb/analysis/1438984809/
Re: ISSUE DETECTED DEFINITION INFECTED URL
Website Malware mwjs-iframe-hidden1?v25 -http://ozonopuntura.com
Website Malware mwjs-iframe-hidden1?v25 -http://ozonopuntura.com/404testpage4525d2fdc
Website Malware mwjs-iframe-hidden1?v25 -http://ozonopuntura.com/404javascript.js
Website Malware mwjs-iframe-hidden1?v25 -http://ozonopuntura.com/tratamientos/
Website Malware mwjs-iframe-hidden1?v25 -http://ozonopuntura.com/testimonios/
Website Malware mwjs-iframe-hidden1?v25 -http://ozonopuntura.com/?page_id=11
Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-iframe-hidden1?v25
Alerted on scan here: https://urlquery.net/report.php?id=1438984893423
Theme Creare Site 1.2.5 vulnerable, see the changes why: https://themes.trac.wordpress.org/changeset?old_path=/creare-site/1.2.5&new_path=/creare-site/1.2.6 → https://www.web8.ro/
The theme listed here is the active theme found in the HTML source of the page. A comprehensive assessment should include checking for other themes that are installed but not active as these can also contain exploitable security vulnerabilities. In a “black box” assessment or penetration test detection of all themes can be undertaken by brute forcing the theme paths . Alternatively if you have access to the host you could simply remove all unused themes.
Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
User ID 1 : admin
User ID 2 : liliacortez
Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.
/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fozonopuntura.com
JQuery code here with a known sink: https://wordpress.org/support/topic/jquery-migrate-vulnerability-or-false-alarm
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fozonopuntura.com%2Fwp-includes%2Fjs%2Fjquery%2Fjquery-migrate.min.js%3Fver%3D1.2.1 (but no sources as one can establish).
See inside code here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fozonopuntura.com%2Fwp-includes%2Fjs%2Fwp-emoji-release.min.js%3Fver%3D4.2.4 - WordPress core script issue:
https://core.trac.wordpress.org/attachment/ticket/31242/31242.18.patch
polonus (volunteer website security analyst and website error-hunter)