Hi Gado Mix,
Outdated Plug-in software: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.
jetpack 7.2 latest release (8.0)
https://jetpack.commenu-icons latest release (0.12.2)
https://github.com/Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.
Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.
/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.
Also Fortinet & Netcraft flag it:
https://www.virustotal.com/gui/url/c58cb1839c2e44436db73f9cfc1ca97d2a84e896948794ed6209d28fa91af99f/detectionSee recommendations found through linting:
https://webhint.io/scanner/635fcb31-1bb0-4a99-8521-714029c8ac06Retire.js issues: Retire.js
jquery 1.12.4 Found in -https://tv.myegy.cam/wp-content/themes/myegy.cam/Interface/js/jquery.min.js
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
jquery 1.12.4 Found in -https://tv.myegy.cam/wp-includes/js/jquery/jquery.js
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251 1234
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers 123
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
JavaScript errors detected: File not found: -http://platform.twitter.com/widgets.js
File not found: -/wp-content/themes/myegy.cam/Interface/css/jquery-accordion-menu.css
TypeError: $ is not a function
-/wp-content/themes/myegy.cam/Interface/js/ajax-login-script.js:1
TypeError: Cannot read property 'addEventListener' of undefined
-/watch/%d9%85%d8%b5%d8%a7%d8%b1%d8%b9%d8%a9/:1523
-/watch/%d9%85%d8%b5%d8%a7%d8%b1%d8%b9%d8%a9/:1514
Also check DOM_XSS issues here: Results from scanning URL: -//deloplen.com/apu.php?zoneid=2786745
Number of sources found: 35 (input that can eventually be controlled)
Number of sinks found: 12 (methods to achieve that)
(This is what adblockers block and probably at the core of your problems).
Wait for an avast team member to give a final verdict, take care the JavaScript adware malcode has been cleansed.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
