Word Press site with issues and known javascript malware injection...

See: https://sitecheck.sucuri.net/results/legato.gda.pl

Bad settings: User Enumeration
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 None admin
2 None None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

DOM_XSS issues, for instance: Results from scanning URL: -http://legato.gda.pl/wp-content/themes/developer/js/skip-link-focus-fix.js?ver=20130115
Number of sources found: 26
Number of sinks found: 10

200 improvement recommendations after linting: https://webhint.io/scanner/bed95125-f273-49a0-ae1b-3de86346545c

polonus (volunteer 3rd party cold reconnaissance webmail security analyst and website error-hunter)

A good Google book to read:
PHP SSecurity & Cracking Puzzles, Authors: Maxim Kuznetsov, Igor Simdyanov (info credits mentioned).
Gives a vulnerable script for uploading files to a remote server.

This below I have not seen patched: ?php

//File Inclusion Exploit for STWC-Counter <= 3.4.0.0
//Found and Exploit Coded by burncycle - burncycle[(at)]robert-beran[(dot)]de
//|
//Vendor: http://www.stwc-counter.de/
//Dork: www.stwc-counter.de
//|
//Bug in “downloadcounter.php”: etc.

Why they do not use “Cyclone”-C in order to mitigate such vulnerabilities for downloadercounter.php.
Using default passwords like “Packet” is not making things easier to protect,
and PHP can often be a “open can of worms” for developers :o

See for Word Press CMS: https://www.exploit-db.com/exploits/18355

But also for other CMS, like Magenta - the correlation is again and again named “magecart”& magecart hackers,

Read: https://securityaffairs.co/wordpress/88323/hacking/magecart-unprotected-s3-buckets.html
https://www.wired.com/story/british-airways-hack-details/
Why Amazon CDN does not do more here than they do apparently in s3-bucket protection?

Cybercriminals specifically go for javascript, that is being changed and injected:
https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/

Often security for many in the field is a last resort thing, and that is why we have such a situation at hand.

Fancy websites bring money, one would think, but secure websites do not impress,
but again in the long run will cost less in damage, data breaches and lost reputation.

polonus