# ARCEP - WordPress REST API User Enumeration
**Date:** 2026-03-03
**Source:** /wp-json/wp/v2/users?per_page=100
**Status:** OPEN — API returns full user list to unauthenticated requests

## Users Found

| ID | Display Name | Slug (username) | Gravatar Hash |
|----|-------------|-----------------|---------------|
| 4 | webmanager | webmaster | — |
| 7 | atraore | atraore | fafee8299b6f09f5db44ffda68c55ceb |
| 8 | Stella Ouedraogo | stella-ouedraogoarcep-bf | — |
| 9 | Yacouba KOUSSOUBE | y-koussoube | — |
| 10 | Lucien Manzaba | lucien-manzabaarcep-bf | 81f2a93a084a6c9bea12edaa03597a3d |

## Analysis
- **Slug pattern reveals email format:** `firstname.lastname@arcep.bf`
  - lucien.manzaba@arcep.bf (inferred)
  - stella.ouedraogo@arcep.bf (inferred)
- **Gravatar hashes** can be reversed to confirm email addresses
- **webmaster account (ID 4)** — oldest account, likely admin
- **atraore** — possibly A. Traore, common Burkinabè surname
- **Yacouba KOUSSOUBE** — slug format `y-koussoube` suggests different naming convention

## .htaccess Exposure
The `.htaccess` file is also readable (HTTP 200):
- DEFLATE compression configuration
- **Git protection:** `RedirectMatch 404 /\.git` (they know about git exposure risk)
- WPSuperCache directives
- WordPress mod_rewrite rules

## Impact
- User enumeration enables targeted brute-force or phishing
- Email format inference allows building target email lists
- Gravatar hashes can be cracked to confirm emails
- Combined with known secretariat@arcep.bf, reveals organizational structure