Several issues to improve on:
https://webhint.io/scanner/6b8897e5-a476-4e2f-996e-728e329f5da7Unpatched exploit for your CMS:
https://github.com/rebic/metinfo (via document.write( )
> position: $id parameter /app/system/include/class/user.class.php in line 128 and 137
Yes, PHP can be a can of worms with PHP=based Content Management Software.
This exploit has been open since October last and is still unpatched, use other additional security measures.
XSS-DOM source and sinks: Results from scanning URL: -http://www.norwii.com/cache/lang_json_cn.js?1582535417
Number of sources found: 167
Number of sinks found: 26
&
Results from scanning URL: -http://www.norwii.com/cache/lang_json_cn.js?1582535417
Number of sources found: 2
Number of sinks found: 2
Wait for the final verdict from an avast team member, the only ones to come and unblock.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)