SE redirects, CMS issues, jQuery insecurity

See: http://killmalware.com/masterskaratetournament.com/#
See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fmasterskaratetournament.com%2F&useragent=Fetch+useragent&accept_encoding=
WordPress Version
4.0.10
Version does not appear to be latest 4.5.1 - update now.

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

jquery-t-countdown-widget 2.2.17 latest release (2.3.11) Update required
http://plugins.twinpictures.de/plugins/t-minus-countdown/
contact-form-7 4.0.3 latest release (4.4.2) Update required
http://contactform7.com/
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Embedded: -http://miamiconciergepsychiatrist.com/wp-content/uploads/2014/10/creditcards.png (creditcards) →
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmiamiconciergepsychiatrist.com%2Fwp-content%2Fuploads%2F2014%2F10%2Fcreditcards.png+ GoDaddy abuse!
on -http://ip-23-229-227-161.ip.secureserver.net/ see: https://www.mywot.com/en/scorecard/ip-23-229-227-161.ip.secureserver.net?utm_source=addon&utm_content=rw-viewsc See *

jQuery issues: -http://masterskaratetournament.com
Detected libraries:
jquery-migrate - 1.2.1 : -http://masterskaratetournament.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.1 : (active1) -http://masterskaratetournament.com/wp-includes/js/jquery/jquery.js?ver=1.11.1
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

On embedded: -http://miamiconciergepsychiatrist.com
Detected libraries:
jquery-migrate - 1.2.1 : -http://miamiconciergepsychiatrist.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.1 : (active1) -http://miamiconciergepsychiatrist.com/wp-includes/js/jquery/jquery.js?ver=1.11.1
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected website also with outdated WordPress version and plug-ins, user-enumeration enabled.

CPanel log-in screen can be found here: -https://p3plcpnl0689.prod.phx3.secureserver.net:2083/ *
See: http://toolbar.netcraft.com/site_report?url=https://p3plcpnl0689.prod.phx3.secureserver.net
With SSL issues: Signature algorithm SHA1withRSA WEAK Chain issues Incorrect order, Contains anchor

Certification Paths Path #1: Trusted 1 Sent by server *.prod.phx3.secureserver.net Fingerprint SHA1: f336d056a833bfcc97b423514e8cfcaae350ac57 Pin SHA256: TSWiw4n1bDTAr7M+wJvfGpOl8pD4zNnPKkSssbHu0Og= RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 2 Sent by server Starfield Secure Certification Authority Fingerprint SHA1: 7e1874a98faa5d6d2f506a8920ff22fbd16652d9 Pin SHA256: lpQNmRQZFRRQ0edfZiGPbyWU4d9K8xpa1nPJqHRoF84= RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 3 Sent by server In trust store Starfield Technologies, Inc. / Starfield Class 2 Certification Authority Self-signed Fingerprint SHA1: ad7e1c28b064ef8f6003402014c3d0e3370eb58a Pin SHA256: FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= RSA 2048 bits (e 3) / SHA1withRSA Weak or insecure signature, but no impact on root certificate 1*
1* (obvious as it never has on certification, but impact is on end2end connection security - note by me, pol)

Check your site for weak SHA-1 certificates. Open source scan from @konklone.

Dang.
p3plcpnl0689.prod.phx3.secureserver.net is using SHA-1.

See the details at SSL Labs, or start over.

Check above to see if a site is still using certificates that were issued using the dangerously outdated SHA-1 signature algorithm.

As of January 1, 2016, no publicly trusted CA is allowed to issue a SHA-1 certificate. So any new certificate you get should automatically use a SHA-2 algorithm for its signature.

However, existing SHA-1 certificates are still trusted by modern browsers and operating systems. Generally, they will be removing support for SHA-1 entirely by January 1, 2017.

Legacy clients will continue to accept SHA-1 certificates, and it is possible to have requested a certificate on December 31, 2015 valid for 39 months. So, it is possible to see SHA-1 certificates in the wild that expire in 2019.

polonus (volunteer website security analyst and website error-hunter)