Site just recovered from SEO redirecting, but still vulnerable.

What is wrong? WordPress Version
4.1.4
Version does not appear to be latest 4.2.1 - update now.
The following plugins were detected from the HTML source of the WordPress front page.
All in One SEO Pack
-revslider
-cookie-law-info
-designthemes-core-features
-responsive-maps-plugin
-c-ontact-form-7
-socialfans-counter

Theme : dreamspa

Warning: User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.
User ID 1 : martafisio
User ID 2 : None

Vulnerabilities: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcentrotandem.es
Results from scanning URL: http://centrotandem.es/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=4.1.1
Number of sources found: 8
Number of sinks found: 1
Results from scanning URL: http://centrotandem.es/wp-content/plugins/socialfans-counter/assets/js/socialfans-script.js?ver=3.2
Number of sources found: 16
Number of sinks found: 11
Results from scanning URL: http://centrotandem.es/wp-content/themes/dreamspa/framework/js/public/toucheffects.js?ver=4.1.4
Number of sources found: 13
Number of sinks found: 32
Results from scanning URL: http://centrotandem.es/wp-content/plugins/socialfans-counter/assets/js/socialfans-script.js?ver=3.2
Number of sources found: 84
Number of sinks found: 27
Results from scanning URL: http://centrotandem.es/wp-content/plugins/socialfans-counter/assets/js/socialfans-script.js?ver=3.2
Number of sources found: 16
Number of sinks found: 11
Results from scanning URL: http://centrotandem.es/wp-includes/js/comment-reply.min.js?ver=4.1.4
Number of sources found: 12
Number of sinks found: 12

66.1 per cent of PHP 5.3.x installs were insecure:
Vulnerable PHP http://www.theregister.co.uk/2014/12/31/want_to_have_your_server_pwned_easy_run_php/

polonus