Confidential — Authorized Pentest

Penetration Test Report

Company B Technologies Pvt Ltd — company-b.example.com

Target

company-b.example.com + subdomains

Date

March 11, 2026

Type

External Black-Box

Authorization

Co-founder (Written)

Tester

Redacted Tester

Overall Risk

High

01 Executive Summary

High

Medium

Low

Info

Subdomains

1 CVE

Active Vuln

An authorized external black-box penetration test was conducted against company-b.example.com and its subdomains on March 11, 2026. Company B Technologies is a cybersecurity company based in [Redacted City], India, with 100+ employees.

The primary website is a WordPress application behind Cloudflare CDN/WAF with Wordfence as an application-layer WAF. Email flows through Mimecast (inbound security gateway) to Microsoft 365.

Key concerns: Origin server IPs are exposed through subdomains and SPF records, allowing Cloudflare WAF bypass. A wildcard CORS policy allows any website to read cross-origin responses. WordPress config backup files exist on disk. Email authentication (DMARC/DKIM) is insufficient for a cybersecurity company — spoofing is possible. The Wordfence WAF has inconsistent XSS filtering that can be bypassed. Internal infrastructure details are leaked via Elastic APM configuration in the page source.

No critical (P0) vulnerabilities were found. The site benefits from strong TLS configuration, HSTS preload, blocked admin panels, and active Cloudflare APO. However, the 9 high-severity findings represent significant risk, especially for a company in the cybersecurity industry.

02 Security Score

/ 100

Critical

High

Medium

Low

Info

03 Discovered Architecture

🌐

User

→

☁️

Cloudflare

WAF + CDN + APO

→

💻

Origin Server

Apache + WordPress

→

🔒

Wordfence

App-layer WAF

Component	Technology	Detail
CMS	WordPress 6.x	Astra theme v4.12.3, Elementor Pro v3.35.1
Plugins (13)	Wordfence, Rank Math PRO, WP Rocket, WPML, Popup Maker, Cookie Notice, Click to Chat, Essential Addons, Perfmatters, Elementor AI, OTGS Installer	Versions exposed in HTML source
CDN/WAF	Cloudflare	APO enabled, HTTP/3, email obfuscation, NEL reporting
App WAF	Wordfence	Blocks wp-login, wp-admin, xmlrpc.php, some XSS
DNS	Cloudflare	deb.ns.cloudflare.com, skip.ns.cloudflare.com
SSL/TLS	Google Trust Services	ECDSA P-256 wildcard, TLS 1.2/1.3, AES-256-GCM
Email Inbound	Mimecast EU	Security gateway → Microsoft 365
Email Sending	Amazon SES, Brevo, Zoho	SPF hard fail (-all)
Monitoring	Elastic APM RUM	Redacted-Service, redacted-env
Analytics	GA4, GTM, Zoho PageSense, Hotjar	Multiple tracking platforms
Origin IPs	10.0.2.1/19/20, 10.0.2.4	Leaked via subdomains + SPF

04 Subdomain Enumeration

Live Subdomains (12)

Subdomain	IP / Target	Service	CDN Protected?
`www.company-b.example.com`	10.0.2.5 / 10.0.2.6	Main website	Yes
`company-b.example.com`	Cloudflare	Redirect → www	Yes
`kb.company-b.example.com`	Cloudflare	Knowledge base	Yes
`rum.company-b.example.com`	Cloudflare	Elastic APM endpoint	Yes
`collector.company-b.example.com`	10.0.2.1	Data collector	No — Direct IP
`fleet.company-b.example.com`	10.0.2.1	Fleet management	No — Direct IP
`lms.company-b.example.com`	10.0.2.3	Learning mgmt system	No — Direct IP
`ps.company-b.example.com`	Vercel	Unknown	Vercel
`sop.company-b.example.com`	Vercel	Unknown	Vercel
`uniview.company-b.example.com`	Zoho Creator	Portal	Zoho
`univiewportal.company-b.example.com`	Zoho Creator	Portal	Zoho
`autodiscover.company-b.example.com`	Microsoft 365	Email config	M365

Dead Subdomains — Takeover Candidates (9)

Subdomain	Status	Risk
`blog.company-b.example.com`	NXDOMAIN	Takeover Risk
`demo.company-b.example.com`	NXDOMAIN	Takeover Risk
`falcondr.company-b.example.com`	NXDOMAIN	Takeover Risk
`ironhash-new.company-b.example.com`	NXDOMAIN	Takeover Risk
`nc.company-b.example.com`	NXDOMAIN	Takeover Risk
`ncompass.company-b.example.com`	NXDOMAIN	Takeover Risk
`o9solutions.company-b.example.com`	NXDOMAIN	Takeover Risk
`sentientnx.company-b.example.com`	NXDOMAIN	Takeover Risk
`uat-uniview.company-b.example.com`	NXDOMAIN	Takeover Risk

05 Attack Surface Map

Surface	Exposure	Protection	Risk
Main Website (www)	WordPress + 13 plugins	Cloudflare + Wordfence	Medium
Origin Servers	3 IPs exposed (no CDN)	None (Cloudflare bypassed)	High
WP REST API	28 namespaces, full plugin disclosure	User enum blocked	High
Email Domain	DMARC p=none, no DKIM	SPF -all, Mimecast inbound	High
Dead Subdomains (9)	CT log entries, NXDOMAIN	None	Medium
Vercel Apps (ps, sop)	Unknown services	Vercel platform	Unknown
Zoho Portals	uniview, univiewportal	Zoho platform	Unknown

06 High Severity Findings (13)

H1 — High

Wildcard CORS — Access-Control-Allow-Origin: *

The server responds with Access-Control-Allow-Origin: * regardless of the requesting origin. Tested with Origin: https://evil.com and Origin: null — both return the wildcard. This means any website on the internet can make cross-origin requests and read the responses, potentially extracting sensitive data.

curl -sI -H "Origin: https://evil.com" https://www.company-b.example.com | grep access-control
access-control-allow-origin: *

Fix

Replace * with explicit allowed origins in Cloudflare or server config.
Only allow: https://www.company-b.example.com, https://company-b.example.com

H2 — High

Missing Content-Security-Policy

No CSP header or meta tag exists. The site loads 15+ external scripts from Google, Zoho, Hotjar, Cloudflare CDN, and others, plus multiple inline scripts. Without CSP, any XSS vulnerability has zero browser-side mitigation — an attacker can load scripts from any domain.

Fix

Content-Security-Policy: default-src 'self'; script-src 'self' https://www.googletagmanager.com https://www.google.com https://cdn-in.pagesense.io https://static.hotjar.com 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-src https://www.google.com; font-src 'self';

H3 — High

WordPress REST API Fully Exposed

/wp-json/ returns HTTP 200 with 764KB of JSON data revealing 28 registered API namespaces and the complete plugin stack: Wordfence, Rank Math PRO, Elementor Pro, WP Rocket, WPML, Popup Maker, Elementor AI, OTGS Installer, and more. Individual plugin endpoints may expose additional data or functionality.

Positive: /wp-json/wp/v2/users returns 401 (user enumeration blocked).

Fix

Restrict wp-json access via Wordfence or Cloudflare rule:
- Block /wp-json/ for unauthenticated users, OR
- Whitelist only needed namespaces (e.g., /wp-json/wp/v2/posts)

H4 — High

wp-config.php Backup Files Exist on Server

/wp-config.php.bak and /wp-config.php.old both return 403 Forbidden (not 404). This confirms the files physically exist on the server. They are currently blocked by access rules, but if WAF configuration changes or is bypassed via origin IP, these files could expose database credentials, authentication keys, salts, and debug settings.

curl -sI https://www.company-b.example.com/wp-config.php.bak -> 403 Forbidden (WordPress headers)
curl -sI https://www.company-b.example.com/wp-config.php.old -> 403 Forbidden (WordPress headers)
curl -sI https://www.company-b.example.com/nonexistent.xyz  -> 000 (connection dropped)

Fix (Immediate)

SSH into server and DELETE these files:
rm /path/to/webroot/wp-config.php.bak
rm /path/to/webroot/wp-config.php.old
After deletion, rotate all credentials in wp-config.php as a precaution.

H5 — High

DMARC Policy is p=none (Email Spoofing Possible)

The DMARC record is set to p=none, meaning email authentication failures are only monitored, not blocked. Any attacker can send emails as @company-b.example.com and they will be delivered to recipients. This is especially concerning for a cybersecurity company, as spoofed emails could be used for phishing, social engineering, or impersonation of the company and its executives.

_dmarc.company-b.example.com TXT "v=DMARC1; p=none; rua=mailto:..."

Fix

Phase 1: _dmarc.company-b.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@company-b.example.com"
Phase 2 (after monitoring): Change to p=reject

H6 — High

No DKIM Records Found

14+ DKIM selectors tested (google, default, selector1, selector2, mimecast, brevo, zoho, k1, k2, k3, s1, s2, dkim, mail) — none resolve. Without DKIM, there is no cryptographic signing of outbound emails. DMARC alignment depends solely on SPF, and forwarded emails will fail authentication entirely.

Fix

Configure DKIM for each sending source:
- Microsoft 365: Enable DKIM in admin.microsoft.com
- Mimecast: Generate DKIM key in Mimecast admin
- Amazon SES: Enable Easy DKIM in SES console
- Brevo: Add DKIM record from Brevo settings

H7 — High

Origin Server IPs Exposed — Cloudflare Bypass

Three subdomains resolve directly to origin server IPs without Cloudflare protection: collector and fleet point to 10.0.2.1, lms points to 10.0.2.3. SPF records additionally leak 10.0.2.2 and 10.0.2.4 (AWS Mumbai). An attacker can directly access the origin server, completely bypassing Cloudflare WAF, DDoS protection, and rate limiting.

Fix

1. Route collector/fleet/lms through Cloudflare proxy (orange cloud)
2. Firewall origin server to ONLY accept traffic from Cloudflare IP ranges
3. Change origin IPs if possible (they are now public knowledge)
4. Remove explicit IPs from SPF, use include: directives instead

H8 — High

Elastic APM Configuration Leaked in Page Source

The homepage contains inline JavaScript that initializes Elastic APM Real User Monitoring with internal infrastructure details visible to any visitor.

elasticApm.init({
  serviceName: 'Redacted-Service',
  serverUrl: 'https://rum.company-b.example.com',
  serviceVersion: '1.0.0',
  environment: 'redacted-env',
  distributedTracingOrigins: [
    'https://www.company-b.example.com',
    'https://company-b.example.com',
    'https://rum.company-b.example.com',
    /https:\/\/.*\.company-b\.com/
  ]
});

This exposes: internal service naming conventions, the APM endpoint, production environment name, and confirms distributed tracing across all subdomains.

Fix

Move APM initialization to a server-side proxy or use environment variables.
At minimum, remove serviceName and environment from client-side config.

H9 — High

WAF Bypass: XSS via Search Parameter

Wordfence blocks XSS payloads in the ?q= parameter (returns 403), but allows the same payloads through the ?s= parameter (WordPress search). This inconsistency means the WAF can be bypassed by routing XSS payloads through the search functionality.

?q=<script>alert(1)</script>      -> 403 (Wordfence blocked)
?s=<img src=x onerror=alert(1)>     -> 200 (NOT blocked)
?s=<svg/onload=alert(1)>            -> 200 (NOT blocked)

Fix

1. Update Wordfence rules to cover WordPress search parameter (?s=)
2. Add CSP header to mitigate XSS even if WAF is bypassed
3. Ensure WordPress search output is properly HTML-encoded

H10 — High

Wordfence REST API Route Map Fully Exposed

/wp-json/wordfence/v1/ returns the complete Wordfence API route map, revealing endpoints for scan status, configuration, authentication, and firewall rules. This gives attackers a detailed blueprint of the security scanner's capabilities and potential bypass points.

GET /wp-json/wordfence/v1/ -> 200 OK
Exposed namespaces: scan/status, config, auth, firewall, blocking, audit-log

Fix

Restrict /wp-json/wordfence/v1/ namespace to authenticated admins only.
Add Cloudflare WAF rule: Block URI path contains "/wp-json/wordfence/"

H11 — High

Active CVE: Astra Theme v4.12.3 — Stored XSS (CVE-2026-3534)

The installed Astra theme version 4.12.3 is vulnerable to CVE-2026-3534 — a Stored Cross-Site Scripting vulnerability via post meta fields (ast-page-background-meta, ast-content-background-meta). An attacker with Contributor-level access can inject persistent malicious scripts that execute for all visitors.

CVSS: 6.4 (Medium) | Auth Required: Contributor+ | Fixed in: Astra 4.12.4 (released ~March 10, 2026)

Fix (Immediate)

Update Astra theme to v4.12.4:
wp-admin -> Appearance -> Themes -> Astra -> Update
Or via WP-CLI: wp theme update astra

H12 — High

No CSRF Nonces in Any HTML Form

Four Elementor-powered forms were found across the site (contact-us, careers, penetration-testing-services, homepage popup). None contain anti-CSRF hidden fields or nonce tokens. The only protection is Google reCAPTCHA. If CAPTCHA is bypassed (automated solvers, API bypass), forms are fully vulnerable to cross-site request forgery.

Pages with forms:
- /contact-us/ (name, email, phone, message)
- /careers/ (name, email, phone, resume upload)
- /penetration-testing-services/ (contact form)
- Homepage popup (lead capture)

All forms: 0 CSRF nonce fields, 0 anti-CSRF tokens

Fix

1. Add WordPress nonce fields to all Elementor forms (wp_nonce_field)
2. Validate nonces server-side on form submission
3. Add SameSite=Strict to all session cookies
4. Implement Origin/Referer header validation as secondary defense

H13 — High

WP Nonces Static/Cached — Not Session-Bound

JavaScript nonces embedded in the page (REDACTED_NONCE, REDACTED_NONCE) are identical across different sessions and IPs due to WP Rocket page caching. The nonces are cached with the page HTML, making them effectively static values rather than per-session tokens. Server-side validation also does not reject invalid or absent nonces — requests with valid, invalid, or missing nonces all produce identical responses.

Session 1: nonce = REDACTED_NONCE (from cached page)
Session 2: nonce = REDACTED_NONCE (identical - served from cache)
POST with nonce=INVALID: 200 OK (same response)
POST with nonce=ABSENT:  200 OK (same response)

Fix

1. Exclude form pages from WP Rocket cache, OR
2. Use WP Rocket's dynamic nonce refresh (AJAX-based nonce loading)
3. Implement proper server-side nonce validation that rejects invalid tokens

07 Medium Severity Findings (13)

PUT/DELETE/PATCH HTTP Methods Accepted (200)

Only TRACE returns 405. All other dangerous methods (PUT, DELETE, PATCH, OPTIONS) return 200 with full page content. Could enable unauthorized data modification if any endpoint processes these methods.

Fix

Block non-standard methods in Cloudflare WAF or Apache config:
<LimitExcept GET POST HEAD>
  Require all denied
</LimitExcept>

debug.log Exists on Server

/debug.log returns 403 with Apache-style headers. WordPress debug logs contain PHP errors, stack traces, database queries, file paths, and potentially user data. The Apache-style charset (iso-8859-1 vs WordPress UTF-8) suggests this is blocked at the Apache level, not WordPress.

Fix

Delete debug.log: rm /path/to/webroot/debug.log
Disable WP_DEBUG_LOG in wp-config.php, or redirect log to non-web-accessible path.

xmlrpc.php Exists (403)

File exists but is blocked. xmlrpc.php is a legacy interface used for brute-force amplification attacks, DDoS via pingback, and credential stuffing. Should be deleted entirely, not just blocked.

Fix

rm /path/to/webroot/xmlrpc.php

phpMyAdmin Path Exists (403)

/phpmyadmin returns 403, confirming the path exists. If access controls are weakened, this would expose the database management interface.

Fix

Remove phpMyAdmin from production, or move it to a non-standard path accessible only via VPN.

9 Dead Subdomains — Subdomain Takeover Candidates

CT logs show historical certificates for 9 subdomains that no longer resolve (NXDOMAIN): blog, demo, falcondr, ironhash-new, nc, ncompass, o9solutions, sentientnx, uat-uniview. If any of these had CNAME records pointing to third-party services (GitHub Pages, Heroku, etc.), an attacker could claim the service and serve content under company-b.example.com.

Fix

Audit DNS for any remaining CNAME records. Remove all dangling records.
Remove these domains from CT log monitoring to reduce noise.

No CAA DNS Record

Without a CAA record, any Certificate Authority in the world can issue SSL certificates for company-b.example.com. An attacker who compromises domain validation could obtain a valid certificate from any CA.

Fix

company-b.example.com. CAA 0 issue "pki.goog"
company-b.example.com. CAA 0 issuewild "pki.goog"
company-b.example.com. CAA 0 iodef "mailto:security@company-b.example.com"

Missing Referrer-Policy Header

No Referrer-Policy header. Full URLs including query parameters leak to third-party services (Google Analytics, Hotjar, Zoho PageSense) via the Referer header.

Fix

Referrer-Policy: strict-origin-when-cross-origin

Missing Permissions-Policy Header

Browser APIs (camera, microphone, geolocation, payment) are unrestricted. Third-party scripts (from 15+ external domains) could access these APIs.

Fix

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

wp-cron.php Accessible

/wp-cron.php returns 200. This endpoint triggers WordPress scheduled tasks and can be abused for DoS by repeatedly hitting it, causing resource-heavy tasks (email sending, backup, cache rebuild) to execute continuously.

Fix

Disable web-based cron in wp-config.php:
define('DISABLE_WP_CRON', true);
Use server-side cron instead: */15 * * * * wget -q -O - https://www.company-b.example.com/wp-cron.php

M10

13 Plugin Versions Exposed in HTML Source

Exact version numbers are leaked via HTML comments, asset URLs, and feed generators. This enables targeted CVE exploitation against specific versions.

Plugin	Version	Leak Source
Elementor	3.35.6	Feed generator, JS/CSS URLs
Elementor Pro	3.35.1	JS/CSS URLs
Astra Theme	4.12.3	CSS URLs
WPML	4.8.6	Feed generator
Popup Maker	1.21.5	JS assets
Cookie Notice	2.5.14	HTML comment
Click to Chat	4.37	HTML comment
Essential Addons	6.5.13	JS/CSS assets
Swiper	8.4.5	JS URL
jQuery	3.7.1	WP includes
jQuery Migrate	3.4.1	WP includes
jQuery UI	1.13.3	WP includes
imagesLoaded	5.0.0	WP includes

Fix

Strip version strings from asset URLs using Perfmatters or WP Rocket settings.
Remove plugin name/version from HTML comments via functions.php.

M11

No Referer/Origin Validation on Form Submissions

Form submission endpoints process requests regardless of the Referer or Origin header. Submissions from https://evil.com are processed identically to legitimate requests. Combined with the missing CSRF nonces (H12), this means an attacker can craft a malicious page that auto-submits forms on behalf of any visitor.

Fix

Validate Origin/Referer headers server-side. Reject requests where Origin does not match company-b.example.com.

M12

admin-ajax.php DDoS Vector — Unauthenticated Heartbeat

/wp-admin/admin-ajax.php accepts unauthenticated action=heartbeat requests. Each request takes 1.9 seconds to process and bypasses Cloudflare cache (passes directly to origin). An attacker with moderate concurrency (50-100 parallel requests) could exhaust all PHP workers, causing a denial of service.

curl -X POST admin-ajax.php -d "action=heartbeat" -> 200 OK, 1.9s, bypasses CF cache
No rate limiting detected across 5 rapid sequential requests.

Fix

Option 1: Disable heartbeat for logged-out users in functions.php
Option 2: Add Cloudflare rate limiting rule for admin-ajax.php (max 10 req/min per IP)
Option 3: Block action=heartbeat for unauthenticated requests via Wordfence

M13

REST API Bandwidth Amplification

/wp-json/wp/v2/posts?per_page=100 returns a 2.1 MB response in 4 seconds. An attacker can amplify small requests into large responses, consuming server bandwidth and CPU. No rate limiting is applied to REST API endpoints.

Fix

Limit per_page to 10 in REST API via functions.php:
add_filter('rest_post_query', function($args) { $args['posts_per_page'] = min($args['posts_per_page'], 10); return $args; });
Add Cloudflare rate limiting on /wp-json/ path.

08 Low Severity Findings (9)

ID	Finding	Detail	Fix
L1	SPF Overly Broad	`include:amazonses.com` authorizes ALL Amazon SES customers globally to send as @company-b.example.com	Replace with `include:<your-ses-identity>.amazonses.com`
L2	No Subresource Integrity (SRI)	No SRI hashes on any external JS/CSS. CDN compromise could inject malicious scripts.	Add `integrity="sha384-..."` to external script/link tags
L3	M365 Tenant Name Exposed	`redacted.onmicrosoft.com` discoverable via autodiscover and MX records	Informational — inherent to M365
L4	Certificate Expires in ~70 Days	Wildcard cert expires May 20, 2026. Ensure auto-renewal is configured.	Verify Google Trust Services auto-renewal via Cloudflare
L5	Dual jQuery Versions	jQuery 3.7.1 (WP) and 3.6.0 (CDN) both loaded. Unnecessary attack surface and potential conflicts.	Remove the CDN jQuery (3.6.0), use WP-bundled version only
L6	reCAPTCHA Site Key Exposed	Site key `REDACTED_RECAPTCHA_KEY...2A7H` visible in source (expected for client-side, but enables bypass testing)	Ensure reCAPTCHA score threshold is appropriately set
L7	Multiple Analytics IDs Exposed	GA4: G-REDACTED, GTM: GTM-REDACTED, Zoho PageSense: REDACTED_ZOHO_ID...	Informational — inherent to client-side analytics
L8	Plugin readme.txt Files Accessible	Elementor, Wordfence 8.1.4, Astra, Popup Maker readme.txt return 200. Confirms exact versions.	Block readme.txt via .htaccess or Cloudflare WAF rule
L9	Author IDs Leaked via Posts API	author:5 and author:7 visible in /wp-json/wp/v2/posts JSON responses	Exclude author field from public REST API responses

09 Informational Findings (5)

ID	Finding	Detail
I1	WP generator meta tag stripped	WordPress version not disclosed in HTML meta — good practice
I2	User enum via REST API blocked	`/wp-json/wp/v2/users` returns 401 — good practice
I3	Admin panels blocked	wp-login.php, wp-admin, readme.html all return 403
I4	Public GitHub repo exists	Company B has a "site" repo on GitHub — should be reviewed for leaked credentials
I5	Known contact info	sales@company-b.example.com, secops@company-b.example.com, 4 co-founders identified via LinkedIn

10 WAF Analysis — Dual Layer

Layer 1: Cloudflare (Edge)

Test	Payload	Response	Verdict
Malicious UA	`User-Agent: sqlmap/1.0`	403	Blocked
Malicious UA	`User-Agent: nikto`	200	Not Blocked

Layer 2: Wordfence (Application)

Test	Payload	Response	Verdict
XSS (q param)	`?q=<script>alert(1)</script>`	403 (Wordfence page)	Blocked
XSS (s param)	`?s=<img src=x onerror=alert(1)>`	200	Bypassed
XSS (s param)	`?s=<svg/onload=alert(1)>`	200	Bypassed
SQLi	`?id=1' OR '1'='1`	200	Not Blocked
Path Traversal	`/../../../etc/passwd`	404	Normalized
wp-login.php	Direct access	403	Blocked
wp-admin	Direct access	403	Blocked
xmlrpc.php	Direct access	403	Blocked

11 Technology Stack

Category	Technology	Version
CMS	WordPress	6.x (inferred)
Theme	Astra + Astra Child	4.12.3 / 1.0.0
Page Builder	Elementor + Pro	3.35.6 / 3.35.1
Security	Wordfence	Unknown
SEO	Rank Math PRO	Unknown
Caching	WP Rocket	Unknown
Multilingual	WPML	4.8.6
Performance	Perfmatters	Unknown
CDN	Cloudflare (APO)	N/A
Monitoring	Elastic APM RUM	Unknown
Analytics	GA4 + GTM + Zoho PageSense + Hotjar	N/A
Forms	Google reCAPTCHA v3	N/A
Chat	Click to Chat (WhatsApp)	4.37
Popups	Popup Maker	1.21.5
Cookie	Cookie Notice	2.5.14
JS Libraries	jQuery 3.7.1, jQuery UI 1.13.3, Swiper 8.4.5, imagesLoaded 5.0.0	Various

12 Port Scan Results

72 ports scanned on both Cloudflare edge IPs. All open ports are Cloudflare defaults — no origin ports directly reachable.

Port	Service	Status	Notes
53	DNS	Open	Cloudflare DNS
80	HTTP	Open	Redirects to HTTPS
443	HTTPS	Open	Main website
2082	cPanel	Open	Cloudflare default port, no cPanel
2083	cPanel SSL	Open	Cloudflare default port
2086	WHM	Open	Cloudflare default port
2087	WHM SSL	Open	Cloudflare default port
8080	Alt HTTP	Open	Cloudflare default port
8443	Alt HTTPS	Open	Cloudflare default port
8880	Alt HTTP	Open	Cloudflare default port

All dangerous service ports (SSH, FTP, databases, RDP) are closed. No direct access to origin infrastructure via standard ports.

13 SSL/TLS Audit

Check	Result	Verdict
Protocol: TLS 1.3	Supported (default)	Pass
Protocol: TLS 1.2	Supported	Pass
Protocol: TLS 1.1	Disabled	Pass
Protocol: TLS 1.0	Disabled	Pass
Protocol: SSLv3	Disabled	Pass
Default Cipher	TLS_AES_256_GCM_SHA384 + X25519	Excellent
NULL ciphers	Rejected	Pass
EXPORT ciphers	Rejected	Pass
RC4 ciphers	Rejected	Pass
DES/3DES ciphers	Rejected	Pass
MD5 ciphers	Rejected	Pass
Certificate Type	ECDSA P-256 with SHA-256	Modern
Certificate Issuer	Google Trust Services (WE1)	Pass
SANs	company-b.example.com, *.company-b.example.com (wildcard)	Pass
Expiry	May 20, 2026 (~70 days)	Monitor
OCSP Stapling	Enabled, status: "good"	Pass
HSTS	max-age=31536000; includeSubDomains; preload	Excellent
Heartbleed	Not vulnerable	Pass
HTTP/3 (QUIC)	Enabled	Modern

SSL/TLS configuration is excellent. No weaknesses found.

14 Email Security

Check	Result	Verdict
MX Records	Mimecast EU (pri 1) + M365 (pri 3)	Good
SPF	`v=spf1 include:eu._netblocks.mimecast.com include:zcsend.in include:amazonses.com include:ap-south-1.amazonses.com include:mail.zohoanalytics.in include:spf.protection.outlook.com ip4:10.0.2.2 ip4:10.0.2.4 -all`	Overly broad
SPF Enforcement	`-all` (hard fail)	Good
DMARC	`v=DMARC1; p=none; rua=...`	Weak (p=none)
DKIM	No records found (14+ selectors tested)	Missing
Mimecast Gateway	Active (inbound filtering)	Good
M365 Backend	redacted.onmicrosoft.com	Info
Brevo Verification	TXT record present	Info

Bottom line: Inbound email security is strong (Mimecast + M365). Outbound authentication is weak — DMARC p=none and no DKIM means emails from @company-b.example.com can be easily spoofed.

15 Positive Security Controls

✓
HSTS with preload — max-age=31536000, includeSubDomains, in HSTS preload list
✓
TLS 1.2/1.3 only — SSLv3, TLS 1.0, 1.1 all disabled. Strong ciphers only.
✓
X-Frame-Options: sameorigin — Clickjacking prevented
✓
X-Content-Type-Options: nosniff — MIME sniffing prevented
✓
Cloudflare WAF + DDoS + APO — Edge-level protection active
✓
Wordfence WAF — Application-layer protection (partially effective)
✓
Admin panels blocked (403) — wp-login.php, wp-admin, xmlrpc.php, readme.html
✓
User enumeration blocked — /wp-json/wp/v2/users returns 401
✓
SPF hard fail (-all) — Unauthorized senders rejected
✓
Mimecast inbound gateway — Email security before M365
✓
WP generator tag stripped — WordPress version not disclosed in meta
✓
OCSP stapling enabled — Certificate status verification optimized
✓
HTTP/3 (QUIC) enabled — Modern transport protocol active
✓
No sensitive files directly accessible — All sensitive paths return 403, not 200
✓
Cloudflare email obfuscation — Email addresses protected from scrapers

16 DDoS Vector Analysis

Vector	Endpoint	Response Time	Mitigated?	Risk
admin-ajax.php Heartbeat	`/wp-admin/admin-ajax.php`	1.9s per request	No	Medium-High
REST API Amplification	`/wp-json/wp/v2/posts?per_page=100`	4.0s / 2.1 MB	No	Medium
WP-Cron Task Trigger	`/wp-cron.php?doing_wp_cron=1`	0.47s	Partial	Low-Medium
Search ReDoS	`/?s=(((.))))`	~3.0s	Partial	Low
XML-RPC Pingback	`/xmlrpc.php`	N/A	Yes (403)	Mitigated
Slowloris	TCP connections	N/A	Yes (Cloudflare)	Mitigated
DNS Amplification	DNS ANY query	N/A	Yes (RFC 8482)	Mitigated
Login Flood	`/wp-login.php`	N/A	Yes (403)	Mitigated

Key finding: While Cloudflare mitigates network-layer DDoS (Slowloris, DNS amplification) and the server blocks XML-RPC/login floods, application-layer DDoS via admin-ajax.php and REST API is unmitigated. No rate limiting was detected on any dynamic endpoint.

17 Known CVE & Vulnerability Check

Component	Version	Latest	CVEs Found	CVSS	Status
Astra Theme	4.12.3	4.12.4	CVE-2026-3534 — Stored XSS via post meta	6.4	VULNERABLE
Elementor	3.35.6	3.35.6	None for this version	N/A	Current
Elementor Pro	3.35.1	3.35.x	None for this version	N/A	Current
WPML	4.8.6	4.9.2	Known CVEs patched before this version	N/A	Outdated
Popup Maker	1.21.5	~1.21.5	CVE-2025-9490 patched in 1.21.1	N/A	Patched
Cookie Notice	2.5.14	2.5.14	None	N/A	Current
Click to Chat	4.37	4.37	CVE-2025-5336 patched in 4.23	N/A	Patched
Essential Addons	6.5.13	6.5.13	CVE-2026-1512 patched in 6.5.10	N/A	Patched
Wordfence	8.1.4	Unknown	None	N/A	OK
WP Rocket	Unknown	3.20.5	CVE-2026-28044 XSS ≤3.19.4	5.9	Verify
Rank Math PRO	Unknown	3.0.107+	Multiple XSS ≤3.0.35	6.6	Verify
jQuery	3.7.1	4.0.0	None	N/A	Outdated (safe)
jQuery UI	1.13.3	1.13.3	None	N/A	Current

Action required: Astra theme must be updated to 4.12.4 immediately. WPML, WP Rocket, and Rank Math PRO versions should be verified and updated if outdated.

18 WordPress Attack Vector Results

User Enumeration

Method	Result	Verdict
`?author=1` through `?author=5`	All return 404	Blocked
`/wp-json/wp/v2/users`	401 Unauthorized	Blocked
`/wp-json/wp/v2/users/1`	404 Not Found	Blocked
`?rest_route=/wp/v2/users`	401 Unauthorized	Blocked
`/wp-json/wp/v2/posts` (author field)	Exposes author IDs (5, 7)	Partial Leak
`/feed/` dc:creator tags	No author names in feed	Blocked

Plugin API Endpoint Exposure

Endpoint	Status	Data Exposed	Risk
`/wp-json/wordfence/v1/`	200	Full route map: scan, config, auth, firewall endpoints	High
`/wp-json/elementor/v1/`	200	Elementor route map	Medium
`/wp-json/elementor-pro/v1/`	200	Elementor Pro route map	Medium
`/wp-json/rankmath/v1/`	200	Rank Math route map	Low
`/wp-json/wp-rocket/v1/`	200	WP Rocket route map	Low
`/wp-json/wp/v2/settings`	401	Auth required	Blocked
`/wp-json/wp/v2/plugins`	401	Auth required	Blocked
`/wp-json/wp/v2/themes`	401	Auth required	Blocked

Version Disclosure via readme.txt

File	Status	Version Revealed
`/wp-content/plugins/elementor/readme.txt`	200	Elementor 3.35.6
`/wp-content/plugins/wordfence/readme.txt`	200	Wordfence 8.1.4
`/wp-content/themes/astra/readme.txt`	200	Astra 4.12.3
`/wp-content/plugins/popup-maker/readme.txt`	200	Popup Maker 1.21.5
`/wp-content/plugins/elementor-pro/readme.txt`	403	Blocked (good)

Login & Upload Security

Test	Result	Verdict
wp-login.php (GET)	403	Blocked
wp-login.php (POST with creds)	403	Blocked
wp-login.php?action=lostpassword	403	Blocked
wp-login.php?action=register	403	Blocked
/wp-content/uploads/ directory listing	403	Blocked
/wp-admin/admin-ajax.php (heartbeat)	200	Open (DDoS risk)
/wp-cron.php	200	Open

Replace broad amazonses.com include. Review public "site" repo for leaked secrets.

20 Methodology & Scope

Parameter	Detail
Type	External black-box penetration test
Scope	company-b.example.com, all subdomains, shared-server sites, email domain
Authorization	Written authorization from Company B co-founder
Standards	OWASP Testing Guide v4.2, PTES, NIST SP 800-115
Approach	Non-destructive. No active exploitation. No DoS. No credential brute-forcing.
Duration	Single session, March 11, 2026
Tester	Redacted Tester

Test Modules Executed

#	Module	Tools Used	Checks
01	DNS & Infrastructure Recon	host, openssl, curl, nc	22 DNS queries, reverse DNS, cert analysis, port probe
02	Subdomain Enumeration	sublist3r, dnsrecon, host, WebSearch	130+ subdomain checks, CT log analysis
03	HTTP Security Headers	curl, WebFetch	18 header checks, CORS, methods, cookies, redirects
04	Sensitive File Discovery	curl	130+ paths (config files, admin panels, APIs, backups)
05	Tech Stack & WAF Detection	curl, WebFetch	CMS fingerprint, 13 plugins, WAF bypass testing, JS analysis
06	Email Security & OSINT	host, WebSearch, WebFetch	SPF/DMARC/DKIM audit, breach check, employee OSINT
07	SSL/TLS Deep Audit	openssl, curl	Protocol versions, ciphers, cert chain, OCSP, Heartbleed
08	Web App Vulnerability Scan	curl, WebFetch	SQLi, XSS, path traversal, header injection, CORS, forms
09	Port Scan & Services	bash /dev/tcp, nc, curl	72 ports scanned, banner grabbing, virtual host check
10	WordPress Attack Vectors	curl, WebFetch	User enum (6 methods), REST API probing, plugin endpoints, readme.txt, cron, uploads
11	CSRF & Form Attacks	curl, WebFetch	Form discovery, nonce validation, admin-ajax CSRF, referer bypass
12	DDoS Vector Analysis	curl, bash	8 DDoS vectors tested: wp-cron, xmlrpc, Slowloris, REST API amp, admin-ajax
13	Known CVE Check	WebSearch	13 components checked against NVD, WPScan, Patchstack databases

Limitations

No authenticated testing (no credentials provided)
No active exploitation of discovered vulnerabilities
No brute-force attacks on login forms
No DoS or load testing
Cloudflare WAF blocked some scanning patterns, potentially masking additional findings
Origin server ports not directly scanned (only Cloudflare edge IPs)
Vercel-hosted subdomains (ps, sop) and Zoho portals not deeply tested