Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://mover2u.com/
Scan Date: Jan. 21, 2026, 6:10 a.m. | Duration: 1 minute, 22.42 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
F (24/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 1 |
| Medium | 3 |
| Low | 1 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 4 |
| Medium | 2 |
| Low | 0 |
Scan Summary
| 1 | Input Hostname | mover2u.com |
| 2 | Target URL | https://mover2u.com/ |
| 3 | Scan Start Time | Jan. 21, 2026, 6:10 a.m. |
| 4 | Scan Duration | 1 minute, 22.42 seconds |
| 5 | Total Test Cases | 42 |
| 6 | Passed Cases | 19 |
| 7 | Failed Cases | 17 |
Target Information
| 1 | Target URL | https://mover2u.com/ |
| 2 | IP Address | 103.6.198.43 |
| 3 | Hosting Provider | Not Disclosed |
| 4 | Registrar | Not Available |
| 5 | Programming Language | PHP:8.2.22 |
| 6 | Web Server | apache |
| 7 | CMS | {'WordPress': '6.9'} |
| 8 | Operating System | Linux/Unix |
| 9 | HTTPS Enabled | Enabled |
| 10 | WAF Detected | Not Detected |
Original Header Response
Date: Wed, 21 Jan 2026 00:41:01 GMT
Server: Apache
X-Powered-By: PHP/8.2.22
Cache-Control: no-cache
X-Nitro-Cache: HIT
X-Nitro-Cache-From: drop-in
vary: user-agent,Accept-Encoding
x-nitro-rev: 61eb420
link: <https://cdn-dglae.nitrocdn.com>; rel=preconnect, <https://mover2u.com/wp-json/>; rel="https://api.w.org/", <https://mover2u.com/wp-json/wp/v2/pages/41>; rel="alternate"; title="JSON"; type="application/json", <https://mover2u.com/>; rel=shortlink
x-cache-ctime: 1768920015
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Detailed Technical Analysis
| 1 | Open Ports | [80, 443] |
| 2 | Debug Method Enabled | Yes |
| 3 | OPTIONS Method | Yes |
| 4 | DKIM | Not Detected |
| 5 | SPF | Not Detected |
| 6 | DMARC | Not Detected |
| 7 | Captcha Detection | Not Detected |
| 8 | Password field with autocomplete | Not Detected |
| 9 | Unencrypted Viewstate | Not Detected |
Additional Findings
Secret Files Detection
Http Methods Allowed
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
- HEAD
- DEBUG
Cross Domain Inclusion
- mover2u.com
- cdn.trustindex.io
- www.googletagmanager.com
- cdn-dglae.nitrocdn.com
- www.google.com
- fonts.gstatic.com
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 1 | php-8.2.22 - CVE-2025-14180 | CVE-2025-14180 | High | 8.2 | In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. | No solution provided. |
| 6 | php-8.2.22 - CVE-2025-1735 | CVE-2025-1735 | Medium | 5.9 | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid. | No solution provided. |
| 7 | php-8.2.22 - CVE-2025-14177 | CVE-2025-14177 | Medium | 6.3 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. | No solution provided. |
| 8 | php-8.2.22 - CVE-2025-14178 | CVE-2025-14178 | Medium | 6.5 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. | No solution provided. |
| 11 | php-8.2.22 - CVE-2025-1220 | CVE-2025-1220 | Low | 3.7 | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions. | No solution provided. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 2 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 3 | Missing Strict-Transport-Security header | CWE-319 | High | Sensitive information is exposed in transit due to the absence of secure channel enforcement. | Enable HSTS with: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". |
| 4 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 5 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 9 | Missing Referrer-Policy header | CWE-200 | Medium | Exposure of sensitive URLs or information to third-party sites. | Set a secure referrer policy such as: "Referrer-Policy: no-referrer". |
| 10 | Missing X-Content-Type-Options header | CWE-16 | Medium | Improperly configured security headers allow MIME-type confusion attacks. | Add the header: "X-Content-Type-Options: nosniff". |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | WAF-Detection |
| Sr. No | Test Case |
|---|---|
| 24 | SSL Certificate Validation |
| 25 | Loose Cookie Domain |
| 26 | CSP Header Analysis |
| 27 | OpenAPI Disclosure |
| 28 | Password Leak Detection |
| 29 | Path Disclosure |
| 30 | Error Messages Analysis |
| 31 | Rate Limit Headers |
| 32 | Email Extraction |
| 33 | Xml-RPC Endpoint Detection |
| 34 | HTTP Methods Allowed |
| 35 | Enabled Debug Method |
| 36 | Enabled OPTIONS Method |
| 37 | Cross-Domain Inclusion |
| 38 | File Upload Detection |
| 39 | Client Access Policies |
| 40 | X-FRAME OPTIONS |
| 41 | X-XSS PROTECTION |
| 42 | .htaccess Exposure |
Passed & Failed Cases
Passed Cases (19)
- Mixed Content (HTTP on HTTPS)
- Open Ports Scan
- Javascript Libraries
- Secure Connection
- Directory Listing Exposed
- Passwords submitted unencrypted
- SSL Certificate
- Loose cookie domain
- Content Security Policy Misconfiguration
- OpenAPI Disclosure
- Password Leakage
- Error Messages Analysis
- Path Disclosure
- Rate Limit Headers
- Enabled Debug Method
- Enabled OPTIONS Method
- File Upload Detection
- .htaccess Exposure
- Host Header Injection
Failed Cases (17)
- Server Disclosure
- Technology Disclosure
- Missing Security Headers
- Missing Content-Security-Policy header
- Missing Strict-Transport-Security header
- Missing Referrer-Policy header
- Missing X-Content-Type-Options header
- Missing HttpOnly flag in cookies
- Missing Secure flag in cookies
- Secret Files Detection
- robots.txt file found
- WAF Detection
- Emails exposed
- Cross-Domain Inclusion
- Client Access Policies
- X-FRAME OPTIONS
- X-XSS PROTECTION
View Raw Scan Data (JSON)
{
"host": "mover2u.com",
"host_url": "https://mover2u.com/",
"task_id": "13b00943-ed88-40ce-a2ad-a48bbadfc5ed",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Date": "Wed, 21 Jan 2026 00:41:01 GMT",
"Server": "Apache",
"X-Powered-By": "PHP/8.2.22",
"Cache-Control": "no-cache",
"X-Nitro-Cache": "HIT",
"X-Nitro-Cache-From": "drop-in",
"vary": "user-agent,Accept-Encoding",
"x-nitro-rev": "61eb420",
"link": "<https://cdn-dglae.nitrocdn.com>; rel=preconnect, <https://mover2u.com/wp-json/>; rel=\"https://api.w.org/\", <https://mover2u.com/wp-json/wp/v2/pages/41>; rel=\"alternate\"; title=\"JSON\"; type=\"application/json\", <https://mover2u.com/>; rel=shortlink",
"x-cache-ctime": "1768920015",
"Upgrade": "h2,h2c",
"Connection": "Upgrade, Keep-Alive",
"Content-Encoding": "gzip",
"Keep-Alive": "timeout=5, max=100",
"Transfer-Encoding": "chunked",
"Content-Type": "text/html; charset=UTF-8"
},
"ip_address": "103.6.198.43",
"hosting_provider": null,
"registrar": null,
"cms": {
"WordPress": "6.9"
},
"cms_cve": null,
"server": "apache",
"server_disclosure_cve": null,
"programming_language": "PHP:8.2.22",
"technology_disclosure_cve": {
"Total CVEs": 23,
"Critical": 3,
"High": 4,
"Medium": 13,
"Low": 3,
"php-8.2.22": [
{
"Id": "CVE-2025-1220",
"Published": "2025-07-13T23:15:22.773",
"Description": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.",
"Severity": "LOW",
"Score": 3.7,
"CWE": "CWE-918"
},
{
"Id": "CVE-2025-1735",
"Published": "2025-07-13T23:15:22.940",
"Description": "In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This\u00a0could cause crashes if Postgres server rejects the string as invalid.",
"Severity": "MEDIUM",
"Score": 5.9,
"CWE": "CWE-89"
},
{
"Id": "CVE-2025-14177",
"Published": "2025-12-27T20:15:40.400",
"Description": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.",
"Severity": "MEDIUM",
"Score": 6.3,
"CWE": "CWE-125"
},
{
"Id": "CVE-2025-14178",
"Published": "2025-12-27T20:15:40.570",
"Description": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.",
"Severity": "MEDIUM",
"Score": 6.5,
"CWE": "CWE-190"
},
{
"Id": "CVE-2025-14180",
"Published": "2025-12-27T20:15:40.717",
"Description": "In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \\x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.",
"Severity": "HIGH",
"Score": 8.2,
"CWE": "CWE-476"
}
]
},
"mixed_content_analysis": null,
"operating_system": "Linux/Unix",
"open_ports": [
80,
443
],
"database_technology": null,
"javascript_libraries": null,
"javascript_libraries_cve": null,
"secure_connection": "Enabled",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"STRICT-TRANSPORT-SECURITY",
"PERMISSIONS-POLICY",
"X-FRAME-OPTIONS",
"CONTENT-SECURITY-POLICY",
"X-CONTENT-TYPE-OPTIONS",
"X-XSS-PROTECTION",
"REFERRER-POLICY",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": {
"issue": "Missing Content-Security-Policy header",
"severity": "High",
"cwe_id": "CWE-693",
"cwe_description": "Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection.",
"fix": "Implement a strong Content-Security-Policy header such as: \"Content-Security-Policy: default-src 'self'; script-src 'self'\"."
},
"missing_strict_transport_security_header": {
"issue": "Missing Strict-Transport-Security header",
"severity": "High",
"cwe_id": "CWE-319",
"cwe_description": "Sensitive information is exposed in transit due to the absence of secure channel enforcement.",
"fix": "Enable HSTS with: \"Strict-Transport-Security: max-age=31536000; includeSubDomains; preload\"."
},
"missing_referrer_policy_header": {
"issue": "Missing Referrer-Policy header",
"severity": "Medium",
"cwe_id": "CWE-200",
"cwe_description": "Exposure of sensitive URLs or information to third-party sites.",
"fix": "Set a secure referrer policy such as: \"Referrer-Policy: no-referrer\"."
},
"missing_x_content_type_options_header": {
"issue": "Missing X-Content-Type-Options header",
"severity": "Medium",
"cwe_id": "CWE-16",
"cwe_description": "Improperly configured security headers allow MIME-type confusion attacks.",
"fix": "Add the header: \"X-Content-Type-Options: nosniff\"."
},
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://mover2u.com/robots.txt",
"https://mover2u.com/sitemap.xml"
],
"robots_txt_file_found": null,
"waf_detection": null,
"ssl_certificate": null,
"loose_cookie_domain": null,
"csp_header_analysis": null,
"openapi_disclosure": null,
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": null,
"email_extraction": {
"Source": [
"contact@mover2u.com"
],
"Emails exposed": {
"issue": "Emails exposed",
"severity": "Low",
"cwe_id": "CWE-200",
"cwe_description": "Publicly exposed email addresses may lead to phishing or spam attacks.",
"fix": "Obfuscate email addresses or remove unnecessary public exposure."
}
},
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE",
"OPTIONS",
"HEAD",
"DEBUG"
],
"enabled_debug_method": "Yes",
"enabled_options_method": "Yes",
"cross_domain_inclusion": [
"mover2u.com",
"cdn.trustindex.io",
"www.googletagmanager.com",
"cdn-dglae.nitrocdn.com",
"www.google.com",
"fonts.gstatic.com"
],
"file_upload": null,
"client_access_policies": [],
"x_frame_options": "Missing X-Frame-Options",
"x_xss_protection": "Missing x-xss-protection header",
"htaccess_exposure": null,
"host_header_injection": null,
"captcha_detection": null,
"password_field_with_autocomplete": null,
"spf": null,
"dmarc": null,
"dkim": null,
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure"
],
"executive_summary": {
"Severity": "Critical",
"Total Checks Passed": 19,
"Passed Cases": [
"Mixed Content (HTTP on HTTPS)",
"Open Ports Scan",
"Javascript Libraries",
"Secure Connection",
"Directory Listing Exposed",
"Passwords submitted unencrypted",
"SSL Certificate",
"Loose cookie domain",
"Content Security Policy Misconfiguration",
"OpenAPI Disclosure",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"Rate Limit Headers",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"File Upload Detection",
".htaccess Exposure",
"Host Header Injection"
],
"Total Checks Failed": 17,
"Failed Cases": [
"Server Disclosure",
"Technology Disclosure",
"Missing Security Headers",
"Missing Content-Security-Policy header",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"robots.txt file found",
"WAF Detection",
"Emails exposed",
"Cross-Domain Inclusion",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION"
],
"Total CVEs Found": 23,
"Critical": 3,
"High": 4,
"Medium": 13,
"Low": 3,
"Total CWEs Found": 6
},
"total_scan_time": "1 minute, 22.42 seconds",
"scan_start_timestamp": "2026-01-21 00:40:58"
}
Other Security Tools
Explore our comprehensive suite of security testing tools