# Bank of Africa (BOA) — Complete Intelligence Report
**Date:** 2026-03-04
**Target:** bank-of-africa.net
**Severity:** CRITICAL — 4,611 PII records + 750 PDFs + 36 CSR locations

---

## Executive Summary

Bank of Africa's WordPress site exposes a massive trove of personally identifiable information (PII) through its WP Job Manager Resume plugin. The REST API at `/wp-json/wp/v2/resumes` returns all 4,611 job applicant records without authentication, including:
- Full names
- Personal email addresses (3,956 unique)
- CV/resume file download URLs (4,589 unique)
- Cover letters/application text
- Submission timestamps

The actual CV files are blocked at the Apache level (403), but all metadata and PII are fully accessible via the API.

---

## Attack Surface

### WordPress REST API (NO AUTH)
- `/wp-json/wp/v2/resumes?per_page=100` — **4,611 records, 47 pages**
- `/wp-json/wp/v2/posts?per_page=100` — 390 posts
- `/wp-json/wp/v2/pages?per_page=100` — 101 pages
- `/wp-json/wp/v2/media?per_page=100` — 2,588 media items
- `/wp-json/wp/v2/users?per_page=100` — 2 users
- `/wp-json/wp/v2/wpsl_stores?per_page=100` — 36 CSR project locations
- `/wp-json/wp/v2/wpcf7_contact_form` — 6 contact forms
- `/wp-json/wp/v2/job-types` — 10 job types (CDD, CDI, Freelance, Stage, Mobilité Interne)
- `/wp-json/wp/v2/search` — 5,112 search index entries

### User Accounts
| ID | Name | Slug | Notes |
|----|------|------|-------|
| 1 | admin | admin | Site administrator |
| 14 | Yassine CHRAIBI | webmaster | BOA Group webmaster (URL: BOA GROUPE) |

### Plugins Detected
- WP Job Manager + Resume Manager (CRITICAL — exposes all CVs)
- RankMath SEO
- Polylang (FR/EN)
- Contact Form 7 (6 forms)
- Popup Maker
- WPSL Store Locator

---

## PII Extraction

### Email Domain Distribution (Top 20)
| Domain | Count |
|--------|-------|
| gmail.com | 3,335 |
| yahoo.fr | 180 |
| yahoo.com | 98 |
| hotmail.com | 62 |
| hotmail.fr | 37 |
| outlook.fr | 25 |
| outlook.com | 24 |
| live.fr | 23 |
| icloud.com | 19 |
| ism.edu.sn | 12 |
| esp.sn | 7 |
| cesag.edu.sn | 5 |
| ugb.edu.sn | 4 |
| socgen.com | 2 |

### Geographic Distribution (from email domains)
- **West Africa dominant**: .sn (Senegal), .bf (Burkina), .ci (Côte d'Ivoire)
- **Francophone focus**: yahoo.fr, hotmail.fr, outlook.fr, live.fr
- **Notable**: 2 @socgen.com emails (Société Générale internal employees applying to BOA)

### Files Generated
| File | Contents |
|------|----------|
| EXTRACTED-EMAILS.txt | 3,956 unique email addresses |
| EXTRACTED-NAMES.txt | 2,623 unique names |
| EXTRACTED-CV-URLS.txt | 4,589 CV file URLs |
| RESUME-PII-MASTER.csv | Full PII: ID, Name, Email, CV URL, Date, Slug |
| MEDIA-PDF-URLS.txt | 750 accessible PDF URLs |
| ALL-MEDIA-URLS.txt | 2,588 total media URLs |

---

## Media Analysis

### Accessible Media (2,588 items)
- 750 PDFs (board meeting programs, reports, CSR documents)
- ~1,800 images (JPEG, PNG, SVG)
- PDF files stored at `/wp-content/uploads/YYYY/MM/` — **200 OK**

### Blocked Media
- CV/Resume files at `/wp-content/uploads/resumes/resume_files/` — **403 Forbidden**
- Apache .htaccess restriction on resume directory
- 403 persists through Tor proxy (server-side block, not geo)

---

## CSR/Foundation Locations (36 entries)
BOA Foundation projects across:
- Burkina Faso, Benin, Mali, Niger, Senegal, Madagascar, Côte d'Ivoire
- Programs: cancer prevention, life centers, school construction, boreholes, COVID-19 support

---

## Methodology
1. WP REST API discovery via `/wp-json/` root
2. User enumeration via `/wp-json/wp/v2/users`
3. Resume endpoint discovered via API root namespace listing (wpjm-internal)
4. Paginated download of all 47 resume pages (100 per page)
5. PII extraction via Python JSON parsing
6. CV file download attempted — blocked by Apache .htaccess
7. Tor proxy bypass attempted — still 403 (server-side restriction)
8. Regular media files confirmed accessible (200 OK)
9. 750 PDFs downloaded from `/wp-content/uploads/`