MEDIUM · refiner

Chennai Petroleum Corporation Ltd

WordPress fingerprint exposed via /wp-json/; missing CSP

cpcl.co.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 62

Availability

request timed out

TLS

unknown

Headers

6 missing · 0 permissive

Email auth

SPF soft · DMARC quarantine

60

Security score

Watch

Headline findings

  • 01WordPress fingerprint exposed via Link headers (rel=alternate to /wp-json/v2)
  • 02Missing CSP
  • 03Permissions-Policy permits payment and fullscreen — broader than typical
  • 04Soft-fail SPF

TLS security

unknown

Issuer
Unavailable

TLS connection timed out

Email authentication

SPF
soft
DKIM
present
DMARC
quarantine

Hardening headers

0 / 0 / 6present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typemissing
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • cpcl.co.com169.60.151.233 (RIPE-allocated cloud, typosquat cluster)
  • cpcl.in202.71.129.6 (third-party)

Public topology · CT logs

2 total

2 subdomains in CT logs; no sensitive categories flagged.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Can CPCL patch King Addons (CVE-2025-8489 CVSS 9.8 KEV) and suppress WordPress version disclosure before the next reconnaissance scan triggers automated exploitation?

Active fingerprints · per host

  • www.cpcl.co.inEOL × 3

    WordPress on Office365 MX (cpcl-co-in.mail.protection.outlook.com)

    • WordPress version exposed via /wp-json
    • No CSP
    • Soft-fail SPF (~all)

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: WordPress version detection → CVE matching

effort hours
detect low (bad)
Entry
Identify WP version via wp-json. Enumerate plugins (King Addons, WPBakery).
Pivot
Match to CVE-2025-8489 (King Addons CVSS 9.8 KEV — privilege escalation) or CVE-2024-56286 (WPBakery CVSS 8.2 stored XSS).
Objective
Site takeover via privilege escalation.
#1

Path B: King Addons CVE-2025-8489 unauthenticated privilege escalation

effort hours
detect low (bad)
Entry
Free user registration (if enabled). Specify 'administrator' role in payload.
Pivot
Escalate to admin without authentication.
Objective
Complete site takeover.
#2

Path C: WPBakery CVE-2024-56286 stored XSS

effort hours
detect medium
Entry
Legacy plugin contains stored XSS in page builder.
Pivot
Inject payload via contributor/editor account; admin views; token harvested.
Objective
Backdoor; admin compromise.
#2

Path D: Soft-fail SPF + Office 365 MX → spear phishing

effort days
detect low (bad)
Entry
SPF ~all soft-fail; Office 365 MX shared infrastructure.
Pivot
Spoofed mail from cpcl-alternate.mail.protection.outlook.com may pass alignment.
Objective
Reach inbox with valid SPF; supplier-payment fraud.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · WordPress version detection → CVE matching
factor ~5–10×
pre-AI
WordPress version detection → plugin CVE matching → privilege escalation
Mythos
AI-augmented attacker auto-correlates wp-json fingerprint with current CVE chain in seconds
Path D · Soft-fail SPF + Office 365 MX → spear phishing
factor ~3–5×
pre-AI
Soft-fail SPF + O365 MX → spear-phishing with high deliverability
Mythos
Lure crafting + supplier-network mapping accelerated

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Audit WordPress core + all plugins; update against CVE-2025-8489

    Host
    www.cpcl.co.in
    CVE
    CVE-2025-8489, CVE-2024-56286
    Fix
    wp-cli: wp plugin list --update=available. Update King Addons → 51.1.35+. Update WPBakery / Elementor / others. Test on staging.
    Owner
    Web Ops
    Validation
    wp plugin status: all current; vulnerable plugin versions absent
  • critical

    Suppress WordPress version disclosure

    Host
    www.cpcl.co.in
    Fix
    Remove Link headers (wp-json). Disable /wp-json/ or require auth. Hide version in HTML meta + HTTP headers.
    Owner
    Web Ops
    Validation
    curl -I | grep wp-json returns nothing
  • critical

    Disable or restrict user registration

    Host
    www.cpcl.co.in
    CVE
    CVE-2025-8489 mitigation
    Fix
    WP Admin → Settings → Membership uncheck 'Anyone can register'. If needed, allowlist @cpcl.co.in only with manual approval.
    Owner
    Web Ops
    Validation
    Public registration with @gmail.com blocked

Tier 2 · within 30 days

  • high

    Add CSP header — nonce-based

    Host
    www.cpcl.co.in
    Fix
    default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self' 'unsafe-inline' (only if necessary).
    Owner
    Web Ops
    Validation
    curl -i shows CSP with nonce, no unsafe-inline/eval in script-src
  • high

    Upgrade SPF from ~all to -all after 30-day monitoring

    Host
    cpcl.co.in (email)
    Fix
    Monitor SPF alignment 30 days; replace ~all with -all.
    Owner
    Email Security
    Validation
    dig +short TXT cpcl.co.in shows -all
  • high

    Upgrade DMARC p=quarantine → p=reject

    Host
    cpcl.co.in (email)
    Fix
    After SPF -all + 30-day clean rua, promote DMARC to p=reject.
    Owner
    Email Security
    Validation
    dig +short TXT _dmarc.cpcl.co.in shows p=reject
  • high

    Deploy WAF — block WordPress exploitation patterns

    Host
    www.cpcl.co.in
    Fix
    Cloudflare or ModSecurity OWASP CRS. Custom rules: block /wp-admin/admin-ajax.php admin payloads from non-admin sessions.
    Owner
    Security / WAF
    Validation
    <img src=x onerror=alert(1)> returns 403
  • high

    Audit WordPress user roles + enforce 2FA on admins

    Host
    www.cpcl.co.in
    Fix
    WP Admin → Users → audit each role + last login + 2FA status. Remove inactive users. Wordfence or Two-Factor plugin.
    Owner
    Web Ops
    Validation
    All admin/editor accounts have 2FA enabled

Tier 3 · within 90 days

  • medium

    DKIM signing for Office 365 mail

    Host
    cpcl.co.in (email)
    Fix
    O365 admin: Enable DKIM. Verify alignment with DMARC.
    Owner
    Email Security
    Validation
    Test email shows DKIM-Signature: pass

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.