Penetration Test Report

Target: company-f.example.com | Date: March 12, 2026 | Type: External Black-Box | Authorization: Written client approval

Executive Summary

An external black-box penetration test was conducted against company-f.example.com and all discoverable subdomains. The assessment identified 24 findings across 8 test modules.

The most critical issue is the server running PHP 7.4.33, which has been end-of-life since November 2022 with no security patches. The site is hosted on Hosting Provider shared infrastructure (Netherlands) with cPanel/WHM management ports publicly exposed. Email security is severely lacking with no DMARC record, enabling email spoofing attacks.

On the positive side, the site deploys Imunify360 WAF + OpenResty reverse proxy which aggressively blocks automated requests, and has implemented WordPress hardening measures including login URL obfuscation, REST API blocking, and hidden admin panels.

Security Score

62 / 100

MODERATE

Strong WAF and WordPress hardening offset by critical infrastructure weaknesses (EOL PHP, exposed management ports, missing email security).

5High

7Medium

8Low

4Info

Target Architecture

Client

Browser

→

Reverse Proxy / WAF

OpenResty xxx.xxx.xxx.xxx
+ Imunify360

→

Web Server

LiteSpeed
PHP 7.4.33 (EOL)

→

CMS

WordPress 6.9.3
WPBakery 8.4.1

Component	Detail
Hosting Provider	Hosting Provider (redacted.hosting.example.com) - Netherlands
Server IP	10.0.6.1
Control Panel	cPanel/WHM (ports 2082-2087 open)
CMS	WordPress 6.9.3
Page Builder	WPBakery (js_composer) 8.4.1
Theme	Werkstatt v4.7.3 (with child theme)
Plugins	WPBakery 8.4.1, MPC Massive xxx.xxx.xxx.xxx, Indeed My Logos VC
WAF	Imunify360 + OpenResty xxx.xxx.xxx.xxx
PHP	7.4.33 (EOL since Nov 2022)
SSL	Let's Encrypt (shared cert with 3dimensionstudio.com)
Email	Mailhostbox (us2.mx1-3.mailhostbox.com)
DNS	Hosting Provider (ns1-4.hosting.example.com)
Subdomains	13 discovered (9 on main IP, 4 on Mailhostbox)
Open Ports	16 (FTP, SSH, SMTP, DNS, HTTP, POP3, IMAP, HTTPS, SMTPS, Submission, IMAPS, POP3S, cPanel x4)

Findings Overview

ID	Severity	Category	Finding	CVSS
H1	HIGH	Infrastructure	PHP 7.4.33 End-of-Life (No Security Patches)	8.0
H2	HIGH	Infrastructure	cPanel/WHM Management Ports Publicly Exposed	7.5
H3	HIGH	HTTP Headers	Missing Content-Security-Policy Header	7.0
H4	HIGH	Email	No DMARC Record - Domain Spoofable	7.0
H5	HIGH	Infrastructure	FTP Service Exposed (Cleartext Credentials)	6.5
M1	MEDIUM	HTTP Headers	TRACE Method Enabled (Cross-Site Tracing)	5.5
M2	MEDIUM	HTTP Headers	PUT/DELETE/PATCH Methods Return 200	5.0
M3	MEDIUM	Email	Overly Broad SPF Authorization	5.0
M4	MEDIUM	Information	PHP Version Disclosed in X-Powered-By	4.5
M5	MEDIUM	SSL/TLS	Inconsistent HSTS - Missing on Proxy Layer	4.5
M6	MEDIUM	SSL/TLS	No HTTP-to-HTTPS Redirect on Proxy Layer	4.5
M7	MEDIUM	WordPress	wp-cron.php Publicly Accessible	4.5
L1	LOW	DNS	No CAA DNS Record	3.5
L2	LOW	Email	SPF Softfail (~all) Instead of Hardfail (-all)	3.0
L3	LOW	SSL/TLS	OCSP Stapling Not Enabled	3.0
L4	LOW	Information	WordPress Version in Generator Meta Tag	2.5
L5	LOW	Information	WPBakery Version in Generator Meta Tag	2.5
L6	LOW	Information	Server Version Disclosure (LiteSpeed + OpenResty)	2.5
L7	LOW	HTTP Headers	Missing Referrer-Policy Header	2.0
L8	LOW	HTTP Headers	Missing Permissions-Policy Header	2.0
I1	INFO	SSL/TLS	Shared SSL Certificate (CN: *.3dimensionstudio.com)	-
I2	INFO	Infrastructure	Single IP - All Services on One Server	-
I3	INFO	Subdomain	Webmail SSL Misconfiguration	-
I4	INFO	OSINT	Google Site Verification Record Present	-

HIGH Severity Findings

H1: PHP 7.4.33 End-of-Life - No Security Patches Since Nov 2022 HIGH | CVSS 8.0

Module: 01, 03, 04, 05 | Component: Server PHP Runtime

Evidence: Response header X-Powered-By: PHP/7.4.33 present on all responses. PHP 7.4 reached end-of-life on November 28, 2022. Over 3 years without security patches.

Impact: Known unpatched CVEs in PHP 7.4 can be exploited for remote code execution, information disclosure, and denial of service. Any PHP vulnerability discovered after Nov 2022 remains exploitable.

Fix: Upgrade to PHP 8.2+ immediately. Test WordPress and all plugins for compatibility first. Most modern WordPress plugins support PHP 8.x.

H2: cPanel/WHM Management Ports Publicly Exposed (2082-2087) HIGH | CVSS 7.5

Module: 01, 02 | Component: cpanel.company-f.example.com, ports 2082-2087

Evidence: Port scan confirms ports 2082 (cPanel HTTP), 2083 (cPanel HTTPS), 2086 (WHM HTTP), 2087 (WHM HTTPS) are all open. cpanel.company-f.example.com returns HTTP 200 with cPanel login page.

Impact: Attackers can attempt brute-force attacks against cPanel/WHM login. WHM access grants full server control. These are high-value targets on shared hosting.

Fix: Restrict cPanel/WHM access to specific IPs via firewall. If Hosting Provider allows, configure IP-based access restrictions in WHM. Use VPN for management access.

H3: Missing Content-Security-Policy Header HIGH | CVSS 7.0

Module: 03 | Component: All HTTP responses

Evidence: No CSP header or meta tag present. External resources load from Adobe Typekit and Google Fonts without restriction.

Impact: Without CSP, if any XSS vulnerability exists, attackers have zero browser-side restrictions on injected scripts. This is the primary browser defense against XSS exploitation.

Fix: Add CSP header via LiteSpeed configuration. Start with report-only mode: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' use.typekit.net fonts.googleapis.com; font-src fonts.gstatic.com use.typekit.net

H4: No DMARC Record - Domain Fully Spoofable HIGH | CVSS 7.0

Module: 06 | Component: _dmarc.company-f.example.com

Evidence: host _dmarc.company-f.example.com returns NXDOMAIN. No DMARC TXT record exists.

Impact: Anyone can send emails appearing to come from @company-f.example.com. Without DMARC, receiving mail servers have no policy guidance for handling SPF/DKIM failures. This enables phishing attacks impersonating the domain owner.

Fix: Add DMARC record: _dmarc.company-f.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@company-f.example.com" then progress to p=quarantine and finally p=reject.

H5: FTP Service Exposed (Port 21 - Cleartext Credentials) HIGH | CVSS 6.5

Module: 01, 02 | Component: 10.0.6.1:21, ftp.company-f.example.com

Evidence: Port 21 (FTP) is open. ftp.company-f.example.com serves HTTP without TLS on port 80. FTP transmits credentials in cleartext.

Impact: FTP credentials can be intercepted via network sniffing (MITM attack). Combined with the shared hosting environment, this increases risk of unauthorized file access.

Fix: Disable FTP entirely. Use SFTP (port 22) for file transfers which is already available. Remove the FTP DNS record.

MEDIUM Severity Findings

M1: TRACE Method Enabled (Cross-Site Tracing Risk) MEDIUM | CVSS 5.5

Module: 03 | Component: LiteSpeed web server

Evidence: curl -X TRACE https://company-f.example.com/ returns HTTP 200.

Impact: TRACE method can be exploited for Cross-Site Tracing (XST) attacks to steal HTTP-only cookies and authorization headers.

Fix: Disable TRACE in LiteSpeed configuration or add a rewrite rule to block it.

M2: PUT/DELETE/PATCH Methods Return 200 MEDIUM | CVSS 5.0

Module: 03 | Component: All HTTP methods accepted

Evidence: PUT, DELETE, PATCH all return HTTP 200 on the root URL.

Fix: Restrict to GET, POST, HEAD, OPTIONS only at the web server level unless the application specifically requires other methods.

M3: Overly Broad SPF Authorization MEDIUM | CVSS 5.0

Module: 06 | Component: SPF TXT record

Evidence: SPF redirects to _spf.mailhostbox.com which includes all._spf.ds.network authorizing 70+ IP CIDR blocks across multiple ASNs.

Impact: Any server on these authorized networks can pass SPF checks for this domain, greatly increasing the pool of potential spoofers.

Fix: Work with Mailhostbox to use more restrictive SPF includes, or consider migrating to a provider with tighter SPF scoping (Google Workspace, Microsoft 365).

M4: PHP Version Disclosed via X-Powered-By Header MEDIUM | CVSS 4.5

Module: 03, 04, 05 | Component: All HTTP responses

Evidence: X-Powered-By: PHP/7.4.33 header present on every response.

Fix: Set expose_php = Off in php.ini to suppress this header.

M5: Inconsistent HSTS - Missing on OpenResty Proxy Layer MEDIUM | CVSS 4.5

Module: 03, 07 | Component: OpenResty reverse proxy

Evidence: LiteSpeed sends Strict-Transport-Security: max-age=63072000; includeSubDomains but the OpenResty proxy layer does not pass this through on 415 responses. SSL/TLS audit confirmed HSTS missing on proxy responses.

Fix: Configure HSTS on both the OpenResty proxy and LiteSpeed layers. Add preload directive and submit to HSTS preload list.

M6: No HTTP-to-HTTPS Redirect on Proxy Layer MEDIUM | CVSS 4.5

Module: 07 | Component: OpenResty on port 80

Evidence: HTTP requests to port 80 return 415 Unsupported Media Type instead of a 301 redirect to HTTPS. Users accessing http:// will see an error rather than being redirected.

Fix: Configure OpenResty to return 301 https://$host$request_uri for all HTTP port 80 traffic.

M7: wp-cron.php Publicly Accessible MEDIUM | CVSS 4.5

Module: 04 | Component: /wp-cron.php

Evidence: curl https://company-f.example.com/wp-cron.php returns HTTP 200 (0 bytes).

Impact: Can be abused for timing attacks, resource exhaustion, or triggering scheduled tasks at attacker-controlled intervals.

Fix: Add define('DISABLE_WP_CRON', true); to wp-config.php and configure a server-side cron job. Block public access to wp-cron.php.

LOW Severity Findings

ID	Finding	Evidence	Recommended Fix
L1	No CAA DNS Record	No CAA record found - any CA can issue certificates	Add `CAA 0 issue "letsencrypt.org"` to DNS
L2	SPF Softfail (~all) Instead of Hardfail (-all)	Terminal SPF mechanism is `~all`	Transition to `-all` after DMARC monitoring confirms legitimate senders
L3	OCSP Stapling Not Enabled	`OCSP response: no response sent`	Enable `ssl_stapling on;` in OpenResty config
L4	WordPress Version in Generator Meta Tag	`<meta name="generator" content="WordPress 6.9.3">`	Add `remove_action('wp_head', 'wp_generator')` to theme functions.php
L5	WPBakery Version in Generator Meta Tag	`<meta name="generator" content="Powered by WPBakery Page Builder">`	Remove WPBakery generator meta output via filter
L6	Server Version Disclosure	`Server: LiteSpeed` and `Server: openresty/xxx.xxx.xxx.xxx`	Set `server_tokens off;` in OpenResty. Suppress Server header in LiteSpeed.
L7	Missing Referrer-Policy Header	No Referrer-Policy header present	Add `Referrer-Policy: strict-origin-when-cross-origin`
L8	Missing Permissions-Policy Header	No Permissions-Policy header; browser APIs unrestricted	Add `Permissions-Policy: camera=(), microphone=(), geolocation=()`

Informational Findings

ID	Finding	Details
I1	Shared SSL Certificate	Certificate CN is `*.3dimensionstudio.com`; target domain covered via SAN entry. Reveals shared hosting with 3dimensionstudio.com
I2	Single IP - All Services on One Server	9 of 13 subdomains resolve to 10.0.6.1. Web, FTP, SSH, email (local), cPanel all on one shared host. Single point of failure.
I3	Webmail SSL Misconfiguration	webmail.company-f.example.com HTTPS connection fails (HTTP 000). Redirect loop or SSL certificate issue.
I4	Google Site Verification Record	`google-site-verification=3W25N1W3wY0nLh7NWcSK9vftMJ-2CLZb_MRLIBymW-4` in DNS TXT records

Module 01: DNS & Infrastructure

DNS Records

Type	Value
A	10.0.6.1
NS	ns1-4.hosting.example.com
MX	us2.mx1/mx2/mx3.mailhostbox.com (priority 100)
TXT (SPF)	`v=spf1 redirect=_spf.mailhostbox.com`
TXT	Google Site Verification
SOA	ns1.hosting.example.com / root@redacted.hosting.example.com
AAAA	None (IPv4 only)
CAA	None
DMARC	None
Reverse DNS	redacted.hosting.example.com

Open Ports (10.0.6.1)

Port	Service	Status	Risk
21	FTP	Open	HIGH
22	SSH	Open	LOW
25	SMTP	Open	INFO
53	DNS	Open	INFO
80	HTTP	Open	INFO
110	POP3	Open	INFO
143	IMAP	Open	INFO
443	HTTPS	Open	INFO
465	SMTPS	Open	INFO
587	Submission	Open	INFO
993	IMAPS	Open	INFO
995	POP3S	Open	INFO
2082	cPanel HTTP	Open	HIGH
2083	cPanel HTTPS	Open	HIGH
2086	WHM HTTP	Open	HIGH
2087	WHM HTTPS	Open	HIGH

Module 02: Subdomain Enumeration

13 subdomains discovered via DNS brute-force (115 names tested) and Certificate Transparency logs.

Subdomain	Resolves To	HTTP Status	Notes
company-f.example.com	10.0.6.1	200	Main site
www	10.0.6.1	301 → apex	Proper redirect
mail	10.0.6.1	301 → webmail	Redirects to webmail
ftp	10.0.6.1	200 (HTTP only)	No HTTPS
cpanel	10.0.6.1	200 (HTTPS)	Login page exposed
webmail	Mailhostbox	SSL Error (000)	SSL misconfiguration
smtp	Mailhostbox	N/A	Mail service only
pop	Mailhostbox	N/A	Mail service only
imap	Mailhostbox	N/A	Mail service only
autodiscover	10.0.6.1	415	cPanel service
cpcalendars	10.0.6.1	415	cPanel service
cpcontacts	10.0.6.1	415	cPanel service
webdisk	10.0.6.1	415	cPanel service

PASS No subdomain takeover vulnerabilities found. All CNAMEs point to active services.

Module 03: HTTP Security Headers

Header	Status	Value
Strict-Transport-Security	PRESENT	`max-age=63072000; includeSubDomains` (missing preload)
Content-Security-Policy	MISSING	No CSP - XSS has zero browser-side mitigation
X-Frame-Options	PRESENT	`SAMEORIGIN`
X-Content-Type-Options	PRESENT	`nosniff`
X-XSS-Protection	MISSING	Legacy but still recommended
Referrer-Policy	MISSING	No explicit policy
Permissions-Policy	MISSING	Browser APIs unrestricted
COOP/CORP/COEP	MISSING	No cross-origin isolation

Score: 3 of 10 security headers present.

HTTP Methods

Method	Status	Assessment
GET / POST / HEAD / OPTIONS	200	Expected
PUT / DELETE / PATCH	200	Should be restricted
TRACE	200	XST risk - disable

PASS No CORS misconfiguration. No cookies set for unauthenticated users.

Module 04: Sensitive Files & Paths

90+ paths tested. WAF rate-limiting kicked in mid-scan, blocking later requests.

Notable Findings

Path	Status	Assessment
robots.txt	200 (31 bytes)	Accessible - minimal directives
wp-cron.php	200 (0 bytes)	Accessible - potential DoS vector
wp-login.php	404	Hidden (login URL renamed)
wp-admin/	302 → /404/	Obfuscated
All wp-json/ endpoints	415	Blocked by WAF
.env, .git/, .htaccess, .htpasswd	403	Properly blocked
wp-config.php.bak/.old/.save/.swp	403	Properly blocked
xmlrpc.php	000 (timeout)	Blocked by WAF
phpmyadmin/, adminer.php	415	Blocked
debug.log, error_log	415	Blocked

Module 05: Tech Stack & WAF

WAF Detection: Imunify360

The site uses Imunify360 bot-protection fronted by OpenResty/xxx.xxx.xxx.xxx reverse proxy. This WAF:

Blocks REST API access with message: "Access denied by Imunify360 bot-protection"
Returns 415 for automated requests to sensitive endpoints
Rate-limits and eventually drops connections from scanning IPs
Blocks SQL injection and path traversal payloads

WAF Bypass Testing

Payload	Result
XSS: `?q=<script>alert(1)</script>`	301 (partially blocked)
SQLi: `?q=1' OR 1=1--`	415 (blocked)
Path Traversal: `?q=../../etc/passwd`	415 (blocked)

NOTE XSS payload returned 301 rather than 415, suggesting inconsistent filtering for XSS vs SQLi payloads. However, no reflected content was found.

Module 06: Email Security

Control	Status	Details
SPF	WEAK	Configured but delegates to Mailhostbox which authorizes 70+ IP ranges via `all._spf.ds.network`. Uses `~all` softfail.
DKIM	PASS	2048-bit RSA key configured under `default` selector.
DMARC	FAIL	No DMARC record. Domain can be freely spoofed.

Email Authentication: 1 of 3 controls properly configured (DKIM only)

Module 07: SSL/TLS Audit

Overall Rating: B

Check	Result
TLS 1.0 / 1.1	Disabled
TLS 1.2	Supported (ECDHE-RSA-AES256-GCM-SHA384)
TLS 1.3	Supported (TLS_AES_256_GCM_SHA384)
Weak Ciphers (RC4/DES/EXPORT/NULL)	Not accepted
Certificate Chain	Valid (Let's Encrypt R12 → ISRG Root X1)
Certificate Expiry	~76 days remaining
Heartbleed	Not vulnerable
HSTS	Inconsistent (present on LiteSpeed, missing on OpenResty)
HTTP → HTTPS Redirect	Broken (returns 415 on port 80)
OCSP Stapling	Not enabled

Module 08: Web Application Vulnerabilities

Testing was significantly limited by Imunify360 WAF. Most requests returned HTTP 415 or resulted in IP-based blocking (connection timeouts).

Test	Result
Reflected XSS	Not confirmed - no input reflection detected
SQL Injection	Not confirmed - no SQL errors, uniform 415 response
Directory Traversal	Not confirmed - properly blocked
Open Redirect	Not confirmed - no redirect headers
CSRF	Not testable - no forms served to automated client
Verbose Errors	None found - clean error pages
IP Rate Limiting	Active - testing IP was blocked mid-scan

NOTE The aggressive WAF makes external automated testing largely ineffective. Internal/authenticated testing would be required for deeper web app assessment.

Positive Security Findings

#	Finding	Details
P1	Imunify360 WAF Active	Blocks automated requests, SQL injection, path traversal. Rate-limits scanning IPs.
P2	Login URL Obfuscated	wp-login.php returns 404, wp-admin redirects to /404/. Prevents brute-force attacks.
P3	REST API Blocked	All /wp-json/ endpoints return 415. User enumeration not possible.
P4	Dotfiles Protected	.env, .git, .htaccess, .htpasswd all return 403.
P5	Config Backups Protected	All wp-config.php backup variants (.bak, .old, .save, .swp) return 403.
P6	XML-RPC Blocked	xmlrpc.php connection times out - prevents brute-force and DDoS amplification.
P7	HSTS Enabled (LiteSpeed)	2-year max-age with includeSubDomains on application layer.
P8	X-Frame-Options Set	SAMEORIGIN prevents clickjacking.
P9	DKIM Configured	2048-bit RSA key on default selector.
P10	TLS 1.2/1.3 Only	Deprecated protocols disabled. Strong cipher suites.
P11	Child Theme Used	Werkstatt-child theme - proper WordPress development practice.
P12	No CORS Misconfiguration	Server does not return Access-Control-Allow-Origin headers.
P13	Debug Logs Not Exposed	debug.log, error_log all blocked.
P14	No Subdomain Takeover Risk	All CNAMEs point to active services. No dangling records.

Remediation Plan

Immediate (1-7 days)

H1: Upgrade PHP from 7.4.33 to 8.2+ (test compatibility first)
H4: Add DMARC record (p=none to start, then escalate)
H5: Disable FTP, use SFTP only
M4: Set expose_php = Off in php.ini
M7: Disable WP-Cron via web; use server cron

Short-Term (1-4 weeks)

H2: Restrict cPanel/WHM ports to specific IPs (coordinate with Hosting Provider)
H3: Implement Content-Security-Policy header (start with report-only)
M1: Disable TRACE method in LiteSpeed
M2: Block PUT/DELETE/PATCH at web server level
M5/M6: Configure HSTS and HTTP→HTTPS redirect on OpenResty proxy

Medium-Term (1-3 months)

M3: Evaluate email provider - consider Google Workspace or M365 for tighter SPF
L1: Add CAA DNS record restricting cert issuance to Let's Encrypt
L2: Transition SPF from ~all to -all after DMARC monitoring
L3: Enable OCSP stapling in OpenResty
L4-L6: Strip version information from meta tags and headers
L7-L8: Add Referrer-Policy and Permissions-Policy headers

Ongoing

Keep WordPress core, themes, and plugins updated
Monitor DMARC reports for unauthorized email use
Review Imunify360 WAF logs for attack patterns
Consider migrating off shared hosting for better security isolation
Schedule periodic penetration tests (quarterly recommended)

Methodology

Module	Description	Tools
01	DNS & Infrastructure Reconnaissance	host, openssl, nc, port scanning
02	Subdomain Enumeration	DNS brute-force (115 names), crt.sh CT logs, HTTP probing
03	HTTP Security Headers Analysis	curl, header analysis, CORS testing, HTTP method testing
04	Sensitive Files & Path Discovery	curl (90+ paths tested), content analysis
05	Technology Stack & WAF Detection	HTML source analysis, header fingerprinting, WAF payload testing
06	Email Security & OSINT	SPF/DKIM/DMARC analysis, MX records, DKIM selector testing
07	SSL/TLS Security Audit	openssl s_client, protocol/cipher testing, chain validation
08	Web Application Vulnerability Testing	XSS/SQLi/traversal probes, form analysis, error handling

Standards: OWASP Testing Guide v4.2, PTES (Penetration Testing Execution Standard), NIST SP 800-115
Scope: External black-box testing. No authenticated/internal testing performed.
Limitations: Imunify360 WAF aggressively blocked automated testing, limiting depth of web application vulnerability assessment. Testing IP was rate-limited mid-scan. Internal/authenticated testing recommended for comprehensive coverage.
Authorization: Written client approval obtained prior to testing. All testing was non-destructive.

Penetration Test Report | company-f.example.com | March 12, 2026

Confidential - For authorized recipients only