Confidential — Authorized Penetration Test

Penetration Test Report

Company B Technologies Pvt Ltd — company-b.example.com — Full Assessment V2

Target
company-b.example.com + all subdomains
Date
March 11, 2026
Type
External Black-Box
Authorization
Co-founder (Written)
Tester
Redacted Tester
Modules Run
13
Overall Risk
High
01Executive Summary
13
High
13
Medium
9
Low
5
Info
12
Subdomains
1
Active CVE

An authorized 13-module penetration test was conducted against company-b.example.com on March 11, 2026. Company B is a cybersecurity company (100+ employees, Mumbai) running a WordPress site behind Cloudflare CDN/WAF + Wordfence.

Critical findings for a cybersecurity company:

CSRF: Zero anti-CSRF nonces in any form. WP nonces are cached/static and not validated server-side. reCAPTCHA is the sole defense.
WAF Bypass: Wordfence XSS filtering bypassed via ?s= parameter. No CSP as fallback.
Origin IP Exposure: 3 subdomains bypass Cloudflare entirely, exposing origin servers.
Email Spoofing: DMARC p=none + no DKIM = anyone can send as @company-b.example.com.
Active CVE: Astra theme v4.12.3 has CVE-2026-3534 (Stored XSS). Patch available.
DDoS: admin-ajax.php heartbeat (1.9s, no rate limit) and REST API (2.1MB/request) are unmitigated app-layer vectors.
Data on Disk: wp-config.php backup files, debug.log, phpMyAdmin path all exist (403).

No critical (P0) vulnerabilities found. Score: 45/100.

02Security Score
45
/100
Critical
0
High
13
Medium
13
Low
9
Info
5
03Discovered Architecture
🌐
User
☁️
Cloudflare
WAF+CDN+APO
💻
Apache
Origin Server
🔒
Wordfence
App WAF
📄
WordPress
13 plugins
ComponentTechnologyDetail
CMSWordPress 6.xAstra 4.12.3, Elementor Pro 3.35.1, 13 plugins
CDN/WAFCloudflareAPO, HTTP/3, email obfuscation, NEL
App WAFWordfence 8.1.4Blocks login/admin/xmlrpc, partial XSS filtering
SSLGoogle Trust ServicesECDSA P-256 wildcard, TLS 1.2/1.3
EmailMimecast EU → M365SPF -all, DMARC p=none, no DKIM
MonitoringElastic APM RUMConfig leaked in page source
AnalyticsGA4, GTM, Zoho, Hotjar4 tracking platforms
Origin IPs10.0.2.1/19/20Exposed via subdomains + SPF
04Subdomain Enumeration

Live Subdomains (12)

SubdomainTargetServiceProtected?
wwwCloudflareMain siteYes
kbCloudflareKnowledge baseYes
rumCloudflareElastic APMYes
collector10.0.2.1Data collectorNo CDN
fleet10.0.2.1Fleet mgmtNo CDN
lms10.0.2.3LMSNo CDN
psVercelUnknownVercel
sopVercelUnknownVercel
univiewZoho CreatorPortalZoho
univiewportalZoho CreatorPortalZoho
autodiscoverM365Email configM365

Dead Subdomains — Takeover Candidates (9)

blog, demo, falcondr, ironhash-new, nc, ncompass, o9solutions, sentientnx, uat-uniview

05Attack Surface Map
SurfaceExposureProtectionRisk
Main WebsiteWordPress + 13 pluginsCloudflare + WordfenceMedium
Origin Servers3 IPs exposedNone (CF bypassed)High
Forms (4)No CSRF noncesreCAPTCHA onlyHigh
WP REST API28 namespacesUser enum blockedHigh
Email DomainDMARC p=none, no DKIMSPF -all, MimecastHigh
DDoS Vectorsadmin-ajax, REST APINo rate limitingMedium
Dead Subdomains9 NXDOMAIN entriesNoneMedium
06High Severity Findings (13)
H1

Wildcard CORS — Access-Control-Allow-Origin: *

Any website can read cross-origin responses. Tested with Origin: evil.com and Origin: null — both return *.

Fix
Replace * with explicit origins in Cloudflare config.
H2

Missing Content-Security-Policy

No CSP header or meta tag. 15+ external scripts loaded. XSS has zero browser-side mitigation.

Fix
Add CSP via Cloudflare Response Headers Policy with script-src whitelist.
H3

WordPress REST API Fully Exposed (28 namespaces)

/wp-json/ returns 764KB JSON with full plugin stack: Wordfence, Rank Math PRO, Elementor Pro, WP Rocket, WPML, Popup Maker, Elementor AI.

Fix
Block /wp-json/ for unauthenticated users via Wordfence or Cloudflare.
H4

wp-config.php Backup Files on Disk

.bak and .old return 403 (not 404) — files exist. If WAF bypassed via origin IP, DB credentials, auth keys, and salts are exposed.

Fix (Immediate)
SSH in and DELETE: rm wp-config.php.bak wp-config.php.old Rotate all credentials in wp-config.php.
H5

DMARC Policy p=none — Email Spoofing Possible

Spoofed emails from @company-b.example.com will be delivered. Critical for a cybersecurity company.

Fix
Phase 1: p=quarantine → Phase 2: p=reject
H6

No DKIM Records (14+ selectors tested)

No cryptographic email signing. DMARC alignment relies solely on SPF. Forwarded emails fail auth entirely.

Fix
Configure DKIM for M365, Mimecast, SES, Brevo.
H7

Origin Server IPs Exposed — Cloudflare Bypass

collector/fleet → 10.0.2.1, lms → 10.0.2.3. SPF leaks 10.0.2.2 and 10.0.2.4. Attackers bypass WAF/DDoS.

Fix
Route all subdomains through Cloudflare. Firewall origin to CF IPs only. Rotate IPs.
H8

Elastic APM Config Leaked in Page Source

Inline JS exposes: serviceName: 'Redacted-Service', environment: 'redacted-env', serverUrl: 'rum.company-b.example.com', distributed tracing across all *.company-b.example.com.

Fix
Move APM init server-side. Remove internal names from client.
H9

WAF Bypass: XSS via Search Parameter

Wordfence blocks ?q=<script> (403) but allows ?s=<img onerror> and ?s=<svg onload> (200). Inconsistent filtering.

?q=<script>alert(1)</script> → 403 (blocked) ?s=<img src=x onerror=alert(1)> → 200 (BYPASSED) ?s=<svg/onload=alert(1)> → 200 (BYPASSED)
Fix
Update Wordfence rules for ?s= parameter. Add CSP as defense-in-depth.
H10

Wordfence REST API Route Map Exposed

/wp-json/wordfence/v1/ returns full route map including scan, config, auth, firewall endpoints. Reveals security scanner blueprint.

Fix
Restrict /wp-json/wordfence/ to authenticated admins.
H11

Active CVE-2026-3534 — Astra Theme Stored XSS

Astra v4.12.3 is vulnerable. Stored XSS via post meta fields. Contributor+ auth required. Fixed in 4.12.4 (released ~Mar 10).

CVSS: 6.4

Fix (Immediate)
Update Astra theme to v4.12.4 immediately.
H12

No CSRF Nonces in Any HTML Form (4 forms)

Forms on contact-us, careers (with file upload), penetration-testing-services, and homepage popup contain zero anti-CSRF tokens. reCAPTCHA is the single point of failure. If bypassed, full CSRF exploitation is possible.

Pages with unprotected forms: /contact-us/ → name, email, phone, message (0 CSRF tokens) /careers/ → name, email, phone, resume upload (0 CSRF tokens) /penetration-testing-services/ → contact form (0 CSRF tokens) Homepage popup → lead capture (0 CSRF tokens)
Fix
1. Add wp_nonce_field() to all Elementor forms 2. Validate nonces server-side on submission 3. Add SameSite=Strict to session cookies 4. Implement Origin/Referer validation
H13

WP Nonces Cached/Static — Not Session-Bound

JS nonces (REDACTED_NONCE, REDACTED_NONCE) are identical across sessions due to WP Rocket caching. Server does not reject invalid or absent nonces — all produce identical responses.

Session 1 nonce: REDACTED_NONCE (from cached page) Session 2 nonce: REDACTED_NONCE (identical - from cache) POST with nonce=INVALID → 200 OK (accepted) POST with nonce=ABSENT → 200 OK (accepted)
Fix
Exclude form pages from WP Rocket cache, OR use AJAX-based dynamic nonce refresh. Implement proper server-side nonce rejection.
07Medium Severity Findings (13)
IDFindingDetailFix
M1PUT/DELETE/PATCH return 200Only TRACE blocked (405). Dangerous methods accepted.Block in Apache/Cloudflare
M2debug.log exists (403)WP debug logs may contain PHP errors, stack traces, credentials.Delete file, disable WP_DEBUG_LOG
M3xmlrpc.php exists (403)Known brute force/DDoS vector. Should be deleted, not just blocked.rm xmlrpc.php
M4phpMyAdmin path exists (403)DB admin interface present on production server.Remove or move to VPN-only path
M59 dead subdomainsCT log entries with NXDOMAIN. Subdomain takeover candidates.Remove dangling DNS records
M6No CAA DNS recordAny CA can issue certs for company-b.example.com.Add CAA restricting to pki.goog
M7Missing Referrer-PolicyFull URLs leak to 15+ third-party services.strict-origin-when-cross-origin
M8Missing Permissions-PolicyCamera, mic, geolocation unrestricted for third-party scripts.camera=(), microphone=(), geolocation=()
M9wp-cron.php accessible200 OK, triggers tasks (0.47s). Potential DoS vector.Disable WP_CRON, use server cron
M1013 plugin versions exposedElementor 3.35.6, Astra 4.12.3, WPML 4.8.6, etc. in HTML.Strip versions via Perfmatters
M11No Referer/Origin validationForm submissions from evil.com processed identically.Validate Origin header server-side
M12admin-ajax.php DDoS vectorHeartbeat: 1.9s/request, bypasses CF cache, no rate limit.Rate-limit or disable for logged-out users
M13REST API bandwidth amplificationper_page=100 returns 2.1 MB in 4s. No rate limiting.Limit per_page to 10; add CF rate rules
08Low Severity Findings (9)
IDFindingDetail
L1SPF overly broadinclude:amazonses.com authorizes ALL SES customers
L2No SRI on scriptsNo integrity hashes on external JS/CSS
L3M365 tenant exposedredacted.onmicrosoft.com
L4Cert expires ~70 daysMay 20, 2026. Verify auto-renewal.
L5Dual jQuery versions3.7.1 (WP) + 3.6.0 (CDN) both loaded
L6reCAPTCHA site key exposedREDACTED_RECAPTCHA_KEY...2A7H visible in source
L7Analytics IDs exposedGA4, GTM, Zoho PageSense IDs in source
L8Plugin readme.txt accessibleWordfence 8.1.4, Elementor, Astra versions confirmed
L9Author IDs in posts APIauthor:5 and author:7 in JSON responses
09Informational (5)
IDFindingNote
I1WP generator meta strippedGood practice
I2User enum blocked (REST API)/wp-json/wp/v2/users returns 401
I3Admin panels blocked (403)wp-login, wp-admin, xmlrpc, readme.html
I4Public GitHub "site" repoReview for leaked credentials
I5Contact info exposedsales@, secops@, 4 co-founders identified
10WAF Analysis — Dual Layer

Cloudflare (Edge) + Wordfence (Application)

TestPayloadStatusBlocked By
XSS (?q=)<script>alert(1)</script>403Wordfence
XSS (?s=)<img onerror=alert(1)>200BYPASSED
XSS (?s=)<svg/onload=alert(1)>200BYPASSED
SQLi1' OR '1'='1200Not blocked
UA: sqlmapUser-Agent: sqlmap/1.0403Cloudflare
UA: niktoUser-Agent: nikto200Not blocked
Path traversal/../../../etc/passwd404Normalized
wp-loginDirect access403Blocked
wp-adminDirect access403Blocked
xmlrpc.phpDirect access403Blocked
11CSRF Analysis

Forms Discovered & CSRF Posture

PageForm TypeCSRF Token?reCAPTCHA?File Upload?Risk
/contact-us/Contact formNoneYesNoHigh
/careers/Job applicationNoneYesYes (resume)High
/penetration-testing-services/Contact formNoneYesNoHigh
Homepage popupLead captureNoneYesNoHigh

CSRF Defense Assessment

Defense LayerStatusEffective?
Anti-CSRF nonce tokensAbsent from all formsNo
WP nonce validation (server-side)Nonces not validated — invalid/absent nonces acceptedNo
WP nonce freshnessCached by WP Rocket — static across sessionsNo
Origin/Referer validationNot implemented — evil.com Referer acceptedNo
SameSite cookie attributeNo session cookies set on public pagesN/A
Google reCAPTCHA v3Present on all formsPartial
X-Frame-Options: SAMEORIGINPresentYes (clickjacking)

Conclusion: reCAPTCHA is the only effective CSRF defense. All other layers are absent or broken. If reCAPTCHA is bypassed (API solvers, score manipulation), CSRF attacks on all 4 forms are fully exploitable.

12DDoS Vector Analysis
VectorEndpointResponseMitigated?Risk
admin-ajax heartbeat/wp-admin/admin-ajax.php1.9s, bypasses CF cacheNoMed-High
REST API amplification/wp-json/wp/v2/posts?per_page=1004s, 2.1 MBNoMedium
wp-cron trigger/wp-cron.php?doing_wp_cron0.47sPartialLow-Med
Search ReDoS/?s=(((.*)*)*)*))~3sPartialLow
XML-RPC pingback/xmlrpc.php403YesMitigated
SlowlorisTCP connectionsN/AYes (CF)Mitigated
DNS amplificationDNS ANY queryRFC 8482YesMitigated
Login flood/wp-login.php403YesMitigated

No rate limiting detected on any dynamic endpoint. Network-layer DDoS is mitigated by Cloudflare, but application-layer vectors via admin-ajax and REST API are fully open.

13Known CVE & Vulnerability Check
ComponentVersionLatestCVEsCVSSStatus
Astra Theme4.12.34.12.4CVE-2026-3534 Stored XSS6.4VULNERABLE
Elementor3.35.63.35.6NoneN/ACurrent
Elementor Pro3.35.13.35.xNoneN/ACurrent
WPML4.8.64.9.2Known CVEs patchedN/AOutdated
Popup Maker1.21.5~1.21.5PatchedN/ACurrent
Cookie Notice2.5.142.5.14NoneN/ACurrent
Click to Chat4.374.37PatchedN/ACurrent
Essential Addons6.5.136.5.13PatchedN/ACurrent
Wordfence8.1.4~8.1.xNoneN/AOK
WP RocketUnknown3.20.5CVE-2026-28044 if <3.205.9Verify
Rank Math PROUnknown3.0.107+XSS if <3.0.366.6Verify
jQuery3.7.14.0.0NoneN/AOutdated (safe)
jQuery UI1.13.31.13.3NoneN/ACurrent
14WordPress Attack Vector Results

User Enumeration (6 methods tested)

MethodResultVerdict
?author=1 through 5All 404Blocked
/wp-json/wp/v2/users401Blocked
?rest_route=/wp/v2/users401Blocked
Posts API author fieldauthor:5, author:7Partial leak
RSS feed dc:creatorNo namesBlocked
oEmbed authorNo dataBlocked

Plugin API Exposure

EndpointStatusRisk
/wp-json/wordfence/v1/200 (full route map)High
/wp-json/elementor/v1/200Medium
/wp-json/elementor-pro/v1/200Medium
/wp-json/rankmath/v1/200Low
/wp-json/wp/v2/settings401Blocked
/wp-json/wp/v2/plugins401Blocked

Login & Upload Security

TestResult
wp-login.php (all methods)403 Blocked
wp-admin403 Blocked
/wp-content/uploads/ listing403 Blocked
admin-ajax.php heartbeat200 Open (DDoS)
wp-cron.php200 Open
15Technology Stack (13 plugins detected)
CategoryTechnologyVersion
CMSWordPress6.x (inferred)
ThemeAstra + Child4.12.3 / 1.0.0
Page BuilderElementor + Pro3.35.6 / 3.35.1
SecurityWordfence8.1.4
SEORank Math PROUnknown
CachingWP RocketUnknown
MultilingualWPML4.8.6
PerformancePerfmattersUnknown
PopupsPopup Maker1.21.5
CookieCookie Notice2.5.14
ChatClick to Chat (WhatsApp)4.37
AddonsEssential Addons6.5.13
AIElementor AIUnknown
16Port Scan (72 ports tested)
PortServiceNotes
53DNSCloudflare
80HTTPRedirects to HTTPS
443HTTPSMain site
2082/2083/2086/2087cPanel/WHMCloudflare defaults (no actual cPanel)
8080/8443/8880Alt HTTP(S)Cloudflare defaults

SSH, FTP, databases (MySQL, PostgreSQL, MongoDB, Redis), RDP — all closed.

17SSL/TLS Audit
CheckResultVerdict
TLS 1.3Default (AES_256_GCM_SHA384 + X25519)Excellent
TLS 1.2SupportedPass
TLS 1.0/1.1/SSLv3DisabledPass
Weak ciphers (NULL/EXPORT/RC4/DES/3DES/MD5)All rejectedPass
CertificateECDSA P-256, Google Trust Services, wildcardModern
HSTSmax-age=31536000; includeSubDomains; preloadExcellent
OCSP staplingEnabled, status: goodPass
HeartbleedNot vulnerablePass
HTTP/3 (QUIC)EnabledModern
Cert expiryMay 20, 2026 (~70 days)Monitor

SSL/TLS configuration is excellent. No weaknesses.

18Email Security
CheckResultVerdict
MXMimecast EU (pri 1) + M365 (pri 3)Good
SPF-all (hard fail) + 7 includes + 2 IPsOverly broad
DMARCp=none (monitoring only)Weak
DKIM0/14 selectors foundMissing
Mimecast gatewayActiveGood

Inbound: Strong (Mimecast + M365). Outbound: Weak — no DKIM + DMARC p=none = email spoofing possible.

19Positive Security Controls (15)
  • HSTS preload — max-age=31536000, includeSubDomains
  • TLS 1.2/1.3 only — strong ciphers, SSLv3/1.0/1.1 disabled
  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Cloudflare WAF + APO + DDoS protection
  • Wordfence WAF (partially effective)
  • Admin panels blocked — wp-login, wp-admin, xmlrpc, readme.html
  • User enumeration blocked (REST API + author param)
  • SPF hard fail (-all)
  • Mimecast inbound gateway
  • WP generator meta stripped
  • OCSP stapling enabled
  • HTTP/3 (QUIC) enabled
  • Upload directory listing disabled
  • Cloudflare email obfuscation active
20Remediation Plan
Immediate

Update Astra theme to v4.12.4 (CVE-2026-3534)

Active stored XSS vulnerability. Patch available.

Immediate

Delete wp-config.php.bak and .old

Rotate all credentials after deletion.

Immediate

Delete debug.log from web root

Disable WP_DEBUG_LOG or redirect to non-web path.

Immediate

Fix CORS — replace * with explicit origins

Only allow company-b.example.com origins.

Immediate

Fix WAF bypass on ?s= parameter

Update Wordfence rules. Add CSP header.

Immediate

Add CSRF nonces to all forms

Implement wp_nonce_field, validate server-side, exclude form pages from cache.

Immediate

Add Content-Security-Policy header

Via Cloudflare Response Headers Policy.

This Month

Enforce DMARC & configure DKIM

p=quarantine → p=reject. DKIM for M365/Mimecast/SES/Brevo.

This Month

Protect origin servers

Route collector/fleet/lms through Cloudflare. Firewall origin. Rotate IPs.

This Month

Restrict WP REST API & Wordfence endpoints

Block /wp-json/ for unauthenticated users.

This Month

Rate-limit admin-ajax.php & REST API

Cloudflare rate rules on dynamic endpoints.

This Month

Add CAA record & remove APM config from source

Restrict cert issuance. Move APM init server-side.

This Month

Update WPML, verify WP Rocket & Rank Math

WPML 4.8.6 → 4.9.2. Check versions against known CVEs.

Medium-Term

Security headers & hardening

Referrer-Policy, Permissions-Policy, SRI, block readme.txt, strip versions, disable wp-cron, delete xmlrpc/phpMyAdmin, audit dead subdomains.

21Methodology & Scope
ParameterDetail
TypeExternal black-box penetration test
Scopecompany-b.example.com, all subdomains, email domain
AuthorizationWritten authorization from Company B co-founder
StandardsOWASP Testing Guide v4.2, PTES, NIST SP 800-115
ApproachNon-destructive. No exploitation. No DoS. No brute-force.
Modules13 test modules, 500+ individual checks
DurationSingle session, March 11, 2026
TesterRedacted Tester

Test Modules

#ModuleToolsChecks
01DNS & Infrastructurehost, openssl, curl, nc22 DNS queries, cert analysis, ports
02Subdomain Enumerationsublist3r, dnsrecon, host130+ subdomains, CT logs
03HTTP Security Headerscurl, WebFetch18 headers, CORS, methods, cookies
04Sensitive File Discoverycurl130+ paths checked
05Tech Stack & WAFcurl, WebFetchCMS fingerprint, 13 plugins, WAF bypass
06Email Security & OSINThost, WebSearchSPF/DMARC/DKIM, breach check, OSINT
07SSL/TLS Auditopenssl, curlProtocols, ciphers, OCSP, Heartbleed
08Web App Vulnerabilitiescurl, WebFetchSQLi, XSS, traversal, injection, forms
09Port Scanbash /dev/tcp, nc72 ports, banner grab
10WordPress Attackscurl, WebFetchUser enum, REST API, plugins, cron
11CSRF & Formscurl, WebFetch4 forms, nonce validation, referer bypass
12DDoS Vectorscurl, bash8 vectors tested
13Known CVE CheckWebSearch13 components vs NVD/WPScan/Patchstack