# CBF.BF WordPress REST API Intelligence Report

**Target:** https://www.cbf.bf (https://cbf.bf redirects to www)
**Organization:** Conseil Burkinabe des Filieres agropastorales et halieutiques (CBF)
**Date:** 2026-03-04
**Analyst:** Automated REST API dump

---

## CRITICAL FINDING: Identity Mismatch

The domain `cbf.bf` was initially identified as the **Federation Burkinabe de Football** (Burkina Faso Football Federation). However, the WordPress API root reveals the actual site name is:

> **Conseil Burkinabe des Filieres agropastorales et halieutiques (CBF)**

This is the **Burkinabe Council for Agropastoral and Fisheries Sectors** -- a government-adjacent agricultural regulatory body, NOT a football federation. The `.bf` TLD (Burkina Faso) and "CBF" acronym caused the misidentification. This organization oversees:
- Cashew nut (anacarde) production and trade
- Sesame production
- Agropastoral supply chains
- Fisheries (halieutiques)

---

## Server Infrastructure

### NOTABLE: Windows Server Hosting

| Parameter | Value |
|-----------|-------|
| **Web Server** | Apache/2.4.58 (Win64) |
| **OS** | Windows (Win64) |
| **OpenSSL** | 3.1.3 |
| **PHP** | 8.2.12 |
| **CMS** | WordPress (6.x based on API features) |
| **Timezone** | Europe/Paris (GMT+1) |
| **Language** | French (fr_FR) |

**Analysis:** A Burkinabe government-adjacent organization running Apache on Windows is unusual. Most African government sites use Linux. This suggests either:
1. The site was developed by a local Windows-based web agency
2. The server is hosted on a shared Windows hosting provider (possibly XAMPP/WAMP-based)
3. The admin's URL `http://localhost/cbf` confirms the site was developed locally on Windows using XAMPP/WAMP and migrated to production

### Security Headers (Good)

The server sends comprehensive security headers:
- `Strict-Transport-Security: max-age=31536000; includeSubDomains`
- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: SAMEORIGIN`
- `Content-Security-Policy` (detailed policy)
- `Referrer-Policy: no-referrer-when-downgrade`
- `Permissions-Policy` (restrictive -- disables geolocation, microphone, camera, payment, USB, battery)

### DNS/Routing
- `cbf.bf` -> 308 redirect -> `www.cbf.bf`
- SSL certificate present (HSTS enabled)

---

## Users Enumerated

| ID | Username | Slug | Notes |
|----|----------|------|-------|
| 1 | **admin** | admin | Primary admin. Profile URL: `http://localhost/cbf` (DEV PATH LEAK) |
| 2 | **Souleymane Zerbo** | souleymane-zerbo | Second author, content contributor |

### Gravatar Hashes (SHA256)
- **admin**: `e344f2607ae5f61ce9b3d9b0a33a121829037d465bd641d52918fca195adecaf`
- **Souleymane Zerbo**: `b77eee5481f3d2383a7559fa6b6bb29953314c601915311bca748f137f6718c6`

### Key Finding: localhost URL Leak
The admin user's profile URL is `http://localhost/cbf`, confirming:
- The site was developed locally under the path `/cbf`
- The admin never updated this field after deployment
- This suggests a XAMPP/WAMP local development environment on Windows

---

## Plugin Ecosystem (25 Namespaces)

### Confirmed Installed Plugins

| Plugin | Namespace | Security Concern |
|--------|-----------|-----------------|
| **GiveWP** (Donation Platform) | `give-api/v2`, `givewp/v3` | Donation forms, payment processing, donor data routes |
| **All in One SEO (AIOSEO)** | `aioseo/v1` | 80+ routes including htaccess, backup, settings export, plugin install |
| **Contact Form 7** | `contact-form-7/v1` | Form data (403 -- correctly protected) |
| **Duplicator** (Backup/Migration) | `duplicator/v1` | Backup creation tool -- /versions returns 500 (forbidden) |
| **Elementor Pro** | `elementor/v1`, `elementor-pro/v1` | Page builder with form submissions endpoint |
| **WPForms** | `wpforms/v1` | Additional form plugin |
| **MC4WP** (Mailchimp for WP) | `mc4wp/v1` | Email marketing integration |
| **CatFolders** | `CatFolders/v1` | Media folder organizer -- public API exposes GET/POST/DELETE on folders |
| **WP Statistics** | `wp-statistics/v2` | Analytics -- hit tracking, online users |
| **Modula Gallery** | `modula-ai-image-descriptor/v1` | Photo gallery with AI descriptions |
| **EmailKit** | `emailkit/v1` | Email template builder -- DELETE and UPDATE data routes |
| **AIOVG (All-in-One Video Gallery)** | Built into wp/v2 | Video management |

### AIOSEO Sensitive Routes (80+ endpoints)
The AIOSEO plugin exposes numerous potentially dangerous routes:
- `/aioseo/v1/htaccess` -- .htaccess manipulation
- `/aioseo/v1/backup` -- Configuration backup
- `/aioseo/v1/backup/restore` -- Configuration restore
- `/aioseo/v1/settings/export` -- Settings export
- `/aioseo/v1/settings/import` -- Settings import
- `/aioseo/v1/plugins/install` -- Plugin installation
- `/aioseo/v1/plugins/deactivate` -- Plugin deactivation
- `/aioseo/v1/connect` -- External connection
- `/aioseo/v1/reset-settings` -- Full settings reset
- `/aioseo/v1/email-debug-info` -- Debug information
- `/aioseo/v1/tools/delete-robots-txt` -- Robots.txt deletion

All tested endpoints return 401 (unauthorized), but the attack surface is enormous.

### GiveWP Donation Platform

The site runs **GiveWP** with both v2 and v3 APIs. Routes include:
- `/givewp/v3/donors` -- Donor database
- `/givewp/v3/donations` -- Donation records
- `/givewp/v3/campaigns` -- Fundraising campaigns
- `/give-api/v2/reports/payment-statuses` -- Payment status reports
- `/give-api/v2/reports/payment-methods` -- Payment method reports
- `/give-api/v2/reports/form-performance` -- Form performance analytics

**Current state:** All v3 data endpoints return empty arrays (`[]`). The form grid shows a **"test"** form (ID 2775) in **test mode** with `payment-mode=manual` and currency set to **USD** (not XOF/CFA Franc). The remaining 8 forms are English-language demo/template forms from the Rico theme ("Ensure Clean Water To The African Kids", etc.).

**Donation statuses** visible in the API include: Refunded, Failed, Revoked, Cancelled, Abandoned, Processing, Preapproval -- suggesting GiveWP is configured but not actively processing donations.

### Duplicator (Backup Plugin)
Duplicator is installed, which is a site backup/migration tool. The `/duplicator/v1/versions` endpoint returns a 500 with "rest_forbidden". This plugin can create full site backups including the database and wp-config.php. If any backup archives are left in an accessible directory, they would contain database credentials.

---

## Content Analysis

### Posts (23 total, 1 page)
Content primarily covers:
- Cashew nut (anacarde) industry news and regulation
- Sesame production
- Agropastoral trade fairs and events
- Recruitment notices (PSE-BF)
- Government decree announcements
- International investment forums

**Date range:** 2025-06-15 to 2025-10-15
**Authors:** Primarily admin (ID 1), with Souleymane Zerbo (ID 2) contributing 1 post

### Pages (37 total, 1 page)
Mix of:
- Legitimate CBF content (filieres, prix des produits, documents, galeries)
- Demo/template pages from the Rico theme (still published):
  - "Donation Camp", "Medical Care", "Child Education", "Clean Water", "Healthy Food"
  - "Home Two", "Home Three"
  - Duplicate "Donor Dashboard" and "Donation Confirmation" pages
  - "FAQ", "Team", "Event", "Services"

### Categories (8)
| ID | Name | Post Count |
|----|------|-----------|
| 56 | Actualites | 18 |
| 97 | ANNONCES | 1 |
| 90 | banniere | 4 |
| 72 | Filiere : Produit | 3 |
| 55 | Marche & Prix | 2 |
| 1 | Non classe | 0 |
| 57 | Nos valeurs | 1 |
| 58 | Organisation | 1 |

### Tags (12)
All tags have **zero posts** and are English-language demo tags from the Rico theme:
"best donate", "charity", "child", "donate", "donation", "give", "giving", "pay", "poor child", "rico", "video", "vige"

### Media (334 items, 4 pages)
Primarily JPEG images including:
- Official event photos (Facebook-style numbered filenames)
- Government meeting photos
- Agricultural product images (cashew, sesame)
- Template/theme stock images from 2022

### Videos (18 items)
Videos cover:
- Cashew nut commercialization campaigns
- RTB (Radio Television du Burkina) news reports
- Agropastoral trade fairs
- Advertising spots in local languages (Moore, Dioula, French)
- DG CBF installation ceremony (2020)

### Events (8 items)
All events are **demo/template data** from the Rico theme with English titles like:
"Give Education Poor Pepole", "Building Holy Lives God's", "Sharing Our Love To Children"

### Team Members (7 items)
All team members are **placeholder data** -- British Prime Ministers:
Boris Johnson, Robert Walpole, Henry Pelham, William Cavendish, George Grenville, Spencer Perceval, Arthur Wellesley

### Project Categories (10)
Mix of legitimate categories and demo data:
- Legitimate: BANQUE MONDIALE, COMMERCE, FAITIERES, Finance agricole, PARTENARIAT
- Demo: Cooperation, Donate Charity, national organizations, Organizations, Support

### Donation Forms (9)
One "test" form (ID 2775) and 8 demo forms from the Rico theme. No active donation processing observed.

### Comments: None (empty array)

---

## Exposed File Paths

| Path | Status | Finding |
|------|--------|---------|
| `/readme.html` | **200 OK** | Standard WordPress readme exposed -- reveals PHP/MySQL requirements |
| `/xmlrpc.php` | **405** | XML-RPC active (accepts POST only) -- potential brute-force vector |
| `/wp-cron.php` | **200** | WP-Cron accessible |
| `/wp-login.php` | **200** | Login page accessible (91KB) |
| `/wp-config-sample.php` | **500** | Returns "Database Error" -- PHP executes the sample config, confirms PHP execution in root |
| `/web.config` | 404 | Not exposed |
| `/iisstart.htm` | 404 | Not exposed (Apache, not IIS) |
| `/wp-config.php.bak` | 404 | Not exposed |
| `/wp-config.txt` | 404 | Not exposed |

### XML-RPC Finding
XML-RPC is active and responding. This is a known attack vector for:
- WordPress brute-force amplification (system.multicall)
- DDoS pingback reflection
- Username enumeration

---

## Application Passwords

The API root confirms **Application Passwords** authentication is enabled:
```
Authorization endpoint: https://www.cbf.bf/wp-admin/authorize-application.php
```

---

## Security Assessment Summary

### Vulnerabilities / Concerns

1. **Windows Server**: Unusual deployment choice for a Burkinabe government organization. Windows-specific attack vectors (path traversal with backslashes, IIS residual configs) may apply.

2. **localhost URL Leak**: Admin user URL `http://localhost/cbf` exposes the local development environment path.

3. **XML-RPC Enabled**: Exposes brute-force amplification and DDoS pingback vectors.

4. **Demo Data Not Cleaned**: Extensive Rico theme demo data (British PM team members, English charity events, template donation forms) left in production. Indicates rushed deployment or lack of post-deployment cleanup.

5. **Massive Plugin Attack Surface**: 25 API namespaces with hundreds of routes. AIOSEO alone exposes 80+ endpoints including backup, plugin management, and settings reset.

6. **Duplicator Installed**: Site backup/migration tool that can create full database dumps. Backup files may be accessible if left in default locations.

7. **GiveWP Donation System**: Active donation platform with test form in manual payment mode. Donor and donation data routes exist even though currently empty.

8. **CatFolders Public API**: Exposes POST and DELETE methods on a public endpoint for media folders.

9. **EmailKit**: Exposes DELETE and UPDATE data routes at the API level.

10. **wp-config-sample.php Executes**: The sample config file is being parsed by PHP, returning a database error instead of a 404 or source code. Confirms PHP processes all .php files in the root.

11. **Two Form Plugins**: Both WPForms and Contact Form 7 are installed, suggesting an inexperienced administrator or incremental development.

### Properly Protected
- Admin-only endpoints (settings, plugins, users/me) return 401
- Contact Form 7 forms return 403
- Elementor templates return 401
- CatFolders folders return 401

---

## File Inventory

| File | Size | Description |
|------|------|-------------|
| api-root.json | 485 KB | Full WordPress REST API index |
| posts-page1.json | 304 KB | 23 posts (all) |
| pages-page1.json | 778 KB | 37 pages (all) |
| media-page1.json | 376 KB | Media items 1-89 |
| media-page2.json | 460 KB | Media items 90-189 |
| media-page3.json | 423 KB | Media items 190-289 |
| media-page4.json | 131 KB | Media items 290-323 |
| users.json | 2 KB | 2 users with Gravatar hashes |
| categories.json | 5 KB | 8 categories |
| tags.json | 7 KB | 12 tags (all demo) |
| comments.json | 2 B | Empty |
| search.json | 51 KB | 100 search results |
| types.json | 10 KB | 19 post types |
| taxonomies.json | 3 KB | 8 taxonomies |
| statuses.json | 2 KB | Post statuses (includes donation statuses) |
| give-forms.json | 11 KB | 9 donation forms |
| give-form-grid.json | 48 KB | Rendered donation form grid (test mode) |
| give-api-root.json | 20 KB | GiveWP v2 API routes |
| givewp-v3-root.json | 22 KB | GiveWP v3 API routes |
| aiovg-videos.json | 58 KB | 18 videos |
| rico-team.json | 127 KB | 7 team members (all demo) |
| rico-events.json | 188 KB | 8 events (all demo) |
| rico-project-cats.json | 7 KB | 10 project categories |
| modula-gallery.json | 10 KB | 2 photo galleries |
| navigation.json | 7 KB | 1 navigation menu |
| oembed.json | 2 KB | oEmbed metadata |
| elementor-root.json | 20 KB | Elementor API routes |
| aioseo-root.json | 21 KB | AIOSEO API routes (80+ endpoints) |
| duplicator-root.json | 603 B | Duplicator API routes |
| wp-statistics-root.json | 1 KB | WP Statistics API routes |
| wpforms-root.json | 1 KB | WPForms API routes |
| mc4wp-root.json | 557 B | Mailchimp integration routes |
| catfolders-public.json | 1 KB | CatFolders public API routes |
| readme.html | 7 KB | WordPress readme (exposed) |
| xmlrpc-response.txt | 42 B | XML-RPC response |
| wp-login.html | 92 KB | Login page |
| wp-config-sample.php | 2 KB | Database error page (PHP executed) |

**Total dump:** ~4.2 MB across 68 files

---

## Key Personnel Identified

- **admin** (User ID 1) -- Primary site administrator, developed on Windows localhost
- **Souleymane Zerbo** (User ID 2) -- Content author, likely CBF communications staff

---

## Organizational Context

The CBF (formerly Conseil Burkinabe de l'Anacarde / CBA -- evidenced by legacy URLs like `/plan-de-passation-des-marches-du-conseil-burkinabe-de-lanacarde/`) was restructured and expanded from a cashew-focused council to cover all agropastoral and fisheries sectors. Content references:

- **Moussa Zida** -- President of the CBF Board of Directors
- **Ludovic Prosper Yigo** -- Also officially installed in a leadership role
- **Hien Kpierenouor SOME** -- Secretary General of CBF
- **SOURUPOLE-SEM** -- Related semi-public enterprise
- **PSE-BF** -- Partner organization (recruitment posted)
- **African Cashew Alliance** -- International partnership
- **UNCEEA-BF** -- National Union of Cashew Exporters

The CBF is headquartered in or near Bobo-Dioulasso (referenced in DG installation video from 2020) and operates under government decree for the financing of agropastoral sectors.

---

*Report generated: 2026-03-04*
*Target: www.cbf.bf*
*Dump location: C:\Users\Squir\Desktop\Burkina Faso\DUMP\CBF-WORDPRESS\*