Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://xelfin.in/
Scan Date: March 7, 2026, 9:52 a.m. | Duration: 104.84s
Light Scan Result
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Want a deeper analysis?
This is a Light Scan result. Perform a Deep Scan to uncover hidden vulnerabilities like XSS, SQL Injection, and more.
Includes intrusive tests. Ensure you are
authorized.
Risk Rating
Overall Risk Rating
F (43/100)
15
Total CVEs
31
Total CWEs
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 1 |
| High | 4 |
| Medium | 10 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 1 |
| High | 10 |
| Medium | 13 |
| Low | 7 |
Unique CVE IDs
Identified
CVE-2007-2379, CVE-2011-4969, CVE-2014-6071, CVE-2016-10707, CVE-2018-18405, CVE-2020-11029, CVE-2021-39202, CVE-2021-39203, CVE-2022-3590, CVE-2023-2745, CVE-2024-2408, CVE-2024-4577, CVE-2024-5458, CVE-2024-5585, CVE-2025-14177
Unique CWE IDs
Identified
CWE-1004, CWE-125, CWE-16, CWE-200, CWE-203, CWE-22, CWE-319, CWE-345, CWE-367, CWE-614, CWE-674, CWE-693, CWE-770, CWE-78, CWE-79
How is the score calculated?
Scores start at 100. Deductions are: Critical (-10), High (-5), Medium (-2), Low (-1). To ensure fairness, deductions are capped per category: Critical (40), High (25), Medium (15), Low (10).
Scan Summary
| 1 | Input Hostname | xelfin.in |
| 2 | Scan Start Time | March 7, 2026, 9:52 a.m. |
| 3 | Scan Duration | 104.84s |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://xelfin.in/ |
| 2 | IP Address | 132.148.96.3 |
| 3 | Hosting Provider | GoDaddy Hosting |
| 4 | Registrar | Not Available |
| 5 | Programming Language | PHP:8.3.30 |
| 6 | Web Server | apache |
| 7 | Operating System | Linux/Unix |
| 8 | HTTPS Enabled | Enabled |
| 9 | WAF Detected | Not Detected |
Original Header Response
Date: Sat, 07 Mar 2026 04:22:07 GMT
Server: Apache
X-Powered-By: PHP/8.3.30
Permissions-Policy: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
Link: <https://xelfin.in/wp-json/>; rel="https://api.w.org/", <https://xelfin.in/wp-json/wp/v2/pages/7105>; rel="alternate"; title="JSON"; type="application/json", <https://xelfin.in/>; rel=shortlink
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Vary: Accept-Encoding
Content-Encoding: br
Content-Length: 27380
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 132.148.96.3 |
| Hosting Provider | GoDaddy Hosting |
| Server | apache |
| Server Disclosure CVE | No CVEs found |
| Operating System | Linux/Unix |
| Open Ports | 3306, 443, 80 |
| Database Technology | Not Detected |
| WAF Detection | Not Detected |
| SSL Certificate | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS |
|
||||
| CMS CVE |
|
||||
| Programming Language | PHP:8.3.30 | ||||
| Technology Disclosure CVE |
|
||||
| Javascript Libraries |
|
||||
| Javascript Libraries CVE |
|
||||
| Openapi Disclosure | Not Found | ||||
| XML RPC Endpoint Detection | Disabled |
Transport Layer Security (TLS) & Encryption
| Mixed Content Analysis | Mixed content (HTTP on HTTPS) |
| Secure Connection | Enabled |
| Unencrypted Viewstate | Not Detected |
HTTP Security Headers Analysis
| Securitys | STRICT-TRANSPORT-SECURITY, X-FRAME-OPTIONS, CONTENT-SECURITY-POLICY, X-CONTENT-TYPE-OPTIONS, X-XSS-PROTECTION, REFERRER-POLICY, X-PERMITTED-CROSS-DOMAIN |
| Content Security Policy | Missing Content-Security-Policy header |
| Strict Transport Security | Missing Strict-Transport-Security header |
| Referrer Policy | Missing Referrer-Policy header |
| X Content Type Options | Missing X-Content-Type-Options header |
| CSP Analysis | Properly Configured |
| X Frame Options | Missing X-Frame-Options |
| X XSS Protection | Missing x-xss-protection header |
Session & Cookie Security
| Missing HTTPonly Flag In Cookies | Missing HttpOnly flag in cookies |
| Missing Secure Flag In Cookies | Missing Secure flag in cookies |
| Loose Cookie Domain | Secure |
Sensitive Resource & File Exposure
| Directory Listing | Disabled |
| Secret Files Detection | ['https://xelfin.in/robots.txt', 'https://xelfin.in/sitemap.xml'] |
| Robots Txt File Found | None |
| Path Disclosure | Not Found |
| Htaccess Exposure | None |
Authentication & Credential Exposure
| Passwords Submitted Unencrypted | Passwords submitted unencrypted |
| Password Leakage | Not Detected |
| Password Field With Autocomplete | Properly Configured |
Information Disclosure & Error Handling
| Error Messages Analysis | Secure |
| Cross Domain Inclusion | ['img1.wsimg.com', 'gmpg.org', 'themedemo.commercegurus.com'] |
Application Surface & Method Exposure
| HTTP Methods Allowed | GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD, DEBUG |
| Enabled Debug Method | Yes |
| Enabled Options Method | Yes |
| File Upload | Not Detected |
| Client Access Policies | Not Found |
Email & Domain Security Configuration
| Email Extraction | None Found |
| SPF | Not Configured |
| DMARC | Not Configured |
| DKIM | Not Configured |
Abuse & Rate-Limiting Controls
| Rate Limit Headers | Missing Rate Limit header |
Injection & Header Manipulation
| Host Header Injection | Not Vulnerable |
Bot & Automation Protection
| Captcha Detection | Not Detected |
Other Findings
| Registrar | None |
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 1 | php-8.3.30 - CVE-2024-4577 | CVE-2024-4577 | Critical | 9.8 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | Apply latest security patches. |
| 2 | wordpress-6.9.1 - CVE-2021-39202 | CVE-2021-39202 | High | 7.6 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8. | Apply latest security patches. |
| 3 | php-8.3.30 - CVE-2024-5585 | CVE-2024-5585 | High | 7.7 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | Apply latest security patches. |
| 4 | php-8.3.30 - CVE-2025-14177 | CVE-2025-14177 | High | 7.5 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. | Apply latest security patches. |
| 6 | jquery-3.7.1 - CVE-2016-10707 | CVE-2016-10707 | High | 7.5 | jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. | Apply latest security patches. |
| 12 | wordpress-6.9.1 - CVE-2020-11029 | CVE-2020-11029 | Medium | 5.8 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | Apply latest security patches. |
| 13 | wordpress-6.9.1 - CVE-2021-39203 | CVE-2021-39203 | Medium | 6.8 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. | Apply latest security patches. |
| 14 | wordpress-6.9.1 - CVE-2022-3590 | CVE-2022-3590 | Medium | 5.9 | WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. | Apply latest security patches. |
| 15 | wordpress-6.9.1 - CVE-2023-2745 | CVE-2023-2745 | Medium | 5.4 | WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | Apply latest security patches. |
| 16 | php-8.3.30 - CVE-2024-5458 | CVE-2024-5458 | Medium | 5.3 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. | Apply latest security patches. |
| 17 | php-8.3.30 - CVE-2024-2408 | CVE-2024-2408 | Medium | 5.9 | The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability. | Apply latest security patches. |
| 18 | jquery-3.7.1 - CVE-2007-2379 | CVE-2007-2379 | Medium | 5.0 | The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | Apply latest security patches. |
| 19 | jquery-3.7.1 - CVE-2011-4969 | CVE-2011-4969 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. | Apply latest security patches. |
| 20 | jquery-3.7.1 - CVE-2014-6071 | CVE-2014-6071 | Medium | 6.1 | jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. | Apply latest security patches. |
| 21 | jquery-3.7.1 - CVE-2018-18405 | CVE-2018-18405 | Medium | 6.1 | jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry | Apply latest security patches. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 5 | Mixed content (HTTP on HTTPS) | CWE-319 | High | Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page. | Ensure all assets (JS, CSS, images) load using HTTPS only. |
| 7 | Passwords submitted unencrypted | CWE-319 | High | Credentials transmitted without encryption can be intercepted. | Use HTTPS-only forms and ensure encrypted transport of all authentication data. |
| 8 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 9 | Missing Strict-Transport-Security header | CWE-319 | High | Sensitive information is exposed in transit due to the absence of secure channel enforcement. | Enable HSTS with: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". |
| 10 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 11 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 22 | Missing Referrer-Policy header | CWE-200 | Medium | Exposure of sensitive URLs or information to third-party sites. | Set a secure referrer policy such as: "Referrer-Policy: no-referrer". |
| 23 | Missing X-Content-Type-Options header | CWE-16 | Medium | Improperly configured security headers allow MIME-type confusion attacks. | Add the header: "X-Content-Type-Options: nosniff". |
| 24 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 25 | Missing Header: STRICT-TRANSPORT-SECURITY | CWE-693 | Low | The security header STRICT-TRANSPORT-SECURITY is missing. | Add STRICT-TRANSPORT-SECURITY header to server configuration. |
| 26 | Missing Header: X-FRAME-OPTIONS | CWE-693 | Low | The security header X-FRAME-OPTIONS is missing. | Add X-FRAME-OPTIONS header to server configuration. |
| 27 | Missing Header: CONTENT-SECURITY-POLICY | CWE-693 | Low | The security header CONTENT-SECURITY-POLICY is missing. | Add CONTENT-SECURITY-POLICY header to server configuration. |
| 28 | Missing Header: X-CONTENT-TYPE-OPTIONS | CWE-693 | Low | The security header X-CONTENT-TYPE-OPTIONS is missing. | Add X-CONTENT-TYPE-OPTIONS header to server configuration. |
| 29 | Missing Header: X-XSS-PROTECTION | CWE-693 | Low | The security header X-XSS-PROTECTION is missing. | Add X-XSS-PROTECTION header to server configuration. |
| 30 | Missing Header: REFERRER-POLICY | CWE-693 | Low | The security header REFERRER-POLICY is missing. | Add REFERRER-POLICY header to server configuration. |
| 31 | Missing Header: X-PERMITTED-CROSS-DOMAIN | CWE-693 | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Add X-PERMITTED-CROSS-DOMAIN header to server configuration. |
Other Security Tools
Explore our comprehensive suite of security testing tools