# CNSS Burkina Faso - WordPress REST API Intelligence Report

**Target:** cnssbf.org (Caisse Nationale de Securite Sociale du Burkina Faso)
**Date:** 2026-03-04
**API Format:** `https://cnssbf.org/index.php?rest_route=/`
**CMS:** WordPress 6.5.5 with WooCommerce 8.2.2
**Site Title:** CNSS BF
**Description:** "Les vertus de la solidarite"
**Home URL:** https://cnssbf.org
**WordPress.com Site ID:** 229886955

---

## Summary

| Resource | Count |
|----------|-------|
| Posts | 204 |
| Pages | 20 |
| Media Items | 1,388 |
| Users | 4 |
| Categories | 19 |
| Tags | 1 |
| Comments | 0 |
| Search Results | 232 |
| Portfolio Items | 8 |
| PDF Documents | 212 |
| API Namespaces | 32 |
| Total API Routes | 1,001 |

---

## Users (4 found)

| ID | Name | Slug | Website | Posts | is_super_admin |
|----|------|------|---------|-------|----------------|
| 1 | admin | admin | https://cnssbf.org | 0 (page author) | false |
| 2 | admin1 | admin1 | (none) | 194 | false |
| 17 | Gerard BEOGO | gebeogo | (none) | 8 | false |
| 18 | Aissatou BARRA | abarra | (none) | 2 | false |

### User Avatar Hashes (LiteSpeed cached Gravatar)

**User 1 (admin):**
- 24px: `109ade61f56290f40c27cb55153cce98`
- 48px: `bc39828ac30bf19c90eff9618d7ede44`
- 96px: `9fd99d42788a5a83d2445bf16c7a245a`

**User 2 (admin1):**
- 24px: `bf71d7dcded662274d515d0224198d54`
- 48px: `d3e5be1c4342633f389505f2436e9b3a`
- 96px: `9b34f7eb64582776eb942c8035609b43`

**User 18 (Aissatou BARRA / abarra):**
- 24px: `14ffe3bd210afd9625bf646560c99df6`
- 48px: `82ca95dfed0d97561f8c3a44037b4143`
- 96px: `45237b166846d49061caa751cc8c3821`

**User 17 (Gerard BEOGO / gebeogo):**
- 24px: `7e0b1c44fb18d857ba14819aaded1c28`
- 48px: `1c4f969de08e331f71d47bdeba3b2b1e`
- 96px: `1b03a2cffa756969fddb4a02df8ea95c`

Note: All users expose `woocommerce_meta` fields (empty values but confirming WooCommerce is active for all accounts). No users flagged as `is_super_admin: true` (field hidden for non-authenticated requests).

---

## Plugin/Technology Stack (Identified from API Namespaces)

| Plugin | Namespace | Version Evidence |
|--------|-----------|-----------------|
| WordPress Core | wp/v2 | 6.5.5 |
| WooCommerce | wc/v1, wc/v2, wc/v3, wc/store, wc-admin, wc-analytics, wc-telemetry, wccom-site | 8.2.2 |
| Jetpack | jetpack/v4, jetpack-boost-ds, jetpack-boost/v1, my-jetpack/v1 | Present but NOT connected |
| Jetpack Stats App | jetpack/v4/stats-app | Configured for site ID 229886955 |
| Yoast SEO | yoast/v1 | Active |
| Elementor | elementor/v1 | Active |
| Elementor Pro | elementor-pro/v1 | Active |
| LiteSpeed Cache | litespeed/v1, litespeed/v3 | Active (caching avatars, detecting crawlers) |
| Contact Form 7 | contact-form-7/v1 | Active |
| Post Grid | post-grid/v2 | Active |
| Templately | templately/v1 | Active |
| WP Statistics | wp-statistics/v2 | Active (detected our request as CrawlerDetect) |
| Media Cleaner | media-cleaner/v1 | Active |
| Health Check | health-check/v1 | Active |
| BdThemes Element Pack | (identified via uploaded ZIP) | v7.3.0 |
| WordPress.com Integration | wpcom/v2, wpcom/v3 | Active |

### Jetpack Connection Status
```json
{
  "isActive": false,
  "isStaging": false,
  "isRegistered": false,
  "isUserConnected": false,
  "hasConnectedOwner": false,
  "isPublic": true
}
```
Jetpack is installed but NOT connected to WordPress.com. This means Jetpack features (backups, stats, security) are NOT active. The site relies on other plugins for these functions.

---

## WooCommerce Findings

- **WC v3 API:** All endpoints return 401 (authentication required) - products, orders, customers
- **WC Store API (public):** Accessible but returns empty data:
  - Products: 0
  - Product Categories: 1 (Uncategorized, 0 items)
  - Product Tags: 0
  - Reviews: 0
  - Cart: Empty (currency: USD)
  - Checkout: 401 (requires auth)
- **WC Admin/Analytics:** All return 401
- **Product Categories (WP taxonomy):** 1 category "Uncategorized" with 0 products

**Assessment:** WooCommerce is installed and configured but appears to have NO active products or store activity. The currency is set to USD (not XOF/CFA Franc). This suggests WooCommerce was installed but never properly configured for use, or was used for internal purposes not exposed publicly.

### Jetpack Database Backup Object Types
The Jetpack backup endpoint revealed valid WooCommerce database object types (all require auth):
- `woocommerce_attribute`
- `woocommerce_downloadable_product_permission`
- `woocommerce_order_item`
- `woocommerce_payment_token`
- `woocommerce_tax_rate`
- `woocommerce_webhook`

---

## Content Analysis

### Posts (204 total, 2013-08-09 to 2026-01-21)

**Author Distribution:**
| Author ID | Name | Post Count |
|-----------|------|------------|
| 2 | admin1 | 194 (95%) |
| 17 | Gerard BEOGO | 8 (4%) |
| 18 | Aissatou BARRA | 2 (1%) |

**Recent Posts (2025-2026):**
- Resilience et continuite de service: La Direction Regionale de Bobo-Dioulasso
- Controle special d'affiliation des chauffeurs routiers
- Operation de controle des boulangeries, patisseries et glaciers
- Communique relatif a l'affermage du centre d'accueil et d'hebergement
- Digitalisation des services: la CNSS lance l'application mobile "eCNSS Burkina"
- Conditions Generales d'Utilisation de la plateforme eCNSS
- Action sociale: 600 eleves et 600 veuves beneficient du soutien de la CNSS

**Oldest Post:** 2013-08-09 - "La CNSS bancarise ses prestations"

### Pages (20 total)

| ID | Title | Date | Link |
|----|-------|------|------|
| 67 | Accueil (Homepage) | 2020-03-26 | https://cnssbf.org/ |
| 69 | Actualites | 2018-08-15 | /?page_id=69 |
| 72 | Contact | 2018-08-10 | /?page_id=72 |
| 73 | Evenements | 2018-08-10 | /?page_id=73 |
| 75 | Presentation | 2018-08-10 | /?page_id=75 |
| 1213 | Documentation | 2022-11-04 | /?page_id=1213 |
| 1281 | Indemnites Journaliere de maternite | 2022-11-07 | /?page_id=1281 |
| 1285 | Assurance volontaire | 2022-11-07 | /?page_id=1285 |
| 2379 | Espace Assure | 2022-11-22 | /?page_id=2379 |
| 3085 | Pension directe | 2023-02-09 | /?page_id=3085 |
| 3094 | Assurance volontaire_forms | 2023-02-09 | /?page_id=3094 |
| 3106 | Repartition des cotisations par branche | 2023-02-10 | /?page_id=3106 |
| 3277 | Reversion | 2023-04-18 | /?page_id=3277 |
| 3503 | test | 2023-06-15 | /?page_id=3503 |
| 3545 | Communiques | 2023-06-15 | /?page_id=3545 |
| 4641 | Services | 2023-08-29 | /?page_id=4641 |
| 7241 | Attestation de situation cotisante | 2023-11-09 | /?page_id=7241 |
| 10119 | Contacts | 2024-05-30 | /?page_id=10119 |
| 2 | Sample Page | 2022-10-12 | /?page_id=2 |
| 64 | Test | 2020-05-02 | /?page_id=64 |

Note: Two test pages remain published ("test" and "Test"), and the default "Sample Page" is still live.

### Categories (19)

| ID | Name | Post Count | Parent |
|----|------|------------|--------|
| 31 | Actualites | 153 | - |
| 32 | Communiques | 19 | - |
| 33 | Prestations | 13 | - |
| 34 | Prestations familiales | 3 | Prestations |
| 35 | Risques et maladies professionnelles | 5 | Prestations |
| 36 | Assurances vieillesse | 5 | Prestations |
| 37 | Espace Partenaires | 0 | - |
| 38 | Employeurs | 4 | Espace Partenaires |
| 39 | Travailleurs | 4 | Espace Partenaires |
| 61 | Assure volontaire | 3 | Espace Partenaires |
| 64 | Presentation | 3 | - |
| 65 | Action sanitaire et sociale | 2 | Prestations |
| 66 | Editorial | 1 | - |
| 67 | privacy | 1 | - |
| 40 | Test | 0 | - |
| 58 | Annuaires | 0 | Documentation |
| 59 | Documentation | 0 | - |
| 60 | Textes et lois | 0 | Documentation |
| 1 | Uncategorized | 2 | - |

---

## Media Library Analysis (1,388 items)

### By MIME Type

| Type | Count |
|------|-------|
| image/jpeg | 981 |
| application/pdf | 212 |
| image/png | 162 |
| image/gif | 17 |
| image/svg+xml | 8 |
| image/webp | 4 |
| application/zip | 2 |
| application/vnd.openxmlformats-officedocument.wordprocessingml.document | 1 |
| application/vnd.ms-excel | 1 |

**Date Range:** 2022-10-21 to 2026-01-21

### HIGH VALUE: PDF Documents (212 files)

#### Statistical Yearbooks (Annuaires) - 31 files
These contain CNSS operational statistics by year:
- `Annuaire_2024_CNSS_BURKINA-FASO.pdf` (latest - July 2025)
- `Annuaire_stat_cnss_2023.pdf`
- `Annuaire_2016-CNSS.pdf`
- `Annuaire_2015-CNSS.pdf`
- `Annuaire_2013-CNSS.pdf`
- `annuaire_2014_cnss.pdf`
- `annuaire2011_cnss_siteweb.pdf`
- `annuaire2010_cnss_siteweb.pdf`
- `annuairestatcnss_2009.pdf`
- `annuairestatcnss_2008.pdf`
- Plus 21 more annual statistical reports

#### Employee Examination Results (Resultat EPE) - 23 files
CNSS recruitment exam results with admitted candidate lists:
- `Resultat_EPE_2024_Technicien_biomedical_admis.pdf`
- `Resultat_EPE_2024_SFME_admis.pdf`
- `Resultat_EPE_2024_Secretaires_BAC_G1_admis.pdf`
- `Resultat_EPE_2024_Plombiers_admis.pdf`
- `Resultat_EPE_2024_Mecaniciens_admis.pdf`
- `Resultat_EPE_2024_ingenieur_concept_infor_genie_logiciel_bac5_admis.pdf`
- `Resultat_EPE_2024_ingenieur_concep_BTP_admis.pdf`
- `Resultat_EPE_2024_ingenieur_application_infor_genie_logiciel_bac3_admis.pdf`
- `Resultat_EPE_2024_IDE_admis.pdf`
- `Resultat_EPE_2024_IB_admis.pdf`
- `Resultat_EPE_2024_Comptable_gestionnaire_comptes_admis.pdf`
- `Resultat_EPE_2024_Controleur_securite_sociale_admis.pdf`
- `Resultat_EPE_2024_Agent_bureau_Bepc_admis.pdf`
- Plus others covering all CNSS job categories

#### Laws, Decrees, and Regulations - 78 files
Burkina Faso social security legislation:
- `loi_016-2006-an.pdf`
- `loi_2006-015an.pdf`
- `loi010-2013.pdf`
- `decret_2007-735.pdf`
- `decret_2007-736.pdf`
- `decret_2007-413.pdf`
- `arrete_2008-001.pdf` through `arrete_2008-008.pdf`
- `arrete_98_008.pdf`
- `arrete_025_expertise.pdf`
- `arrete_023_octroi_action_sanitaire_et_sociale.pdf`
- `arrete_conjoint_24_comite_sante.pdf`
- `reglement_interieur_entreprises.pdf`
- `reglement_interieur_onss.pdf`
- Plus 60+ more legal documents

#### Administrative Forms - 27 files
CNSS forms for employers and workers:
- `1_Bordereau-Nominatif-des-Travailleurs-Salaries.pdf`
- `2_Bordereau-de-lAssure-volontaire.pdf`
- `3_E-Bordereau-nominatif-des-travailleurs-salaries.pdf`
- `4_Bordereau-Nominatif-Annuel-des-Travailleurs-Salaries.pdf`
- `5_Declaration-recapitulative-des-salaires.pdf`
- `6_Declaration-Recapitulative-Annuelle-des-Salaires.pdf`
- `paiement_de_cotisation.pdf`
- `liquidation_vieillesse.pdf`
- `demande_familiale.pdf`
- `employeur.pdf`
- `travailleur.pdf`
- `assurance_volontaire.pdf`
- `SOUSCRIPTION-A-LASSURANCE-VOLONTAIRE.docx` (DOCX format)
- `bnts_assurance_volontaire.xls` (Excel format)

### Other Notable Files
- **Plugin ZIP uploaded to media:** `bdthemes-element-pack-v7.3.0.zip` (uploaded twice, IDs 10543 and 4583) - this is a premium Elementor addon uploaded directly to the media library
- **Excel spreadsheet:** `bnts_assurance_volontaire.xls` - voluntary insurance data
- **DOCX:** `SOUSCRIPTION-A-LASSURANCE-VOLONTAIRE.docx` - voluntary insurance subscription form

---

## Post Types Registered

| Slug | Name | Description |
|------|------|-------------|
| post | Articles | Standard posts |
| page | Pages | Standard pages |
| attachment | Fichier media | Media files |
| nav_menu_item | Elements de menu | Navigation menu items |
| wp_block | Compositions | Reusable blocks |
| wp_template | Modeles | Theme templates |
| wp_template_part | Elements de modeles | Template parts |
| wp_navigation | Menus de navigation | Navigation menus |
| wp_font_family | Familles de polices | Font families |
| wp_font_face | Polices de caracteres | Font faces |
| jb_store_css | Posts | Jetpack Boost CSS cache |
| **product** | **Produits** | WooCommerce products |
| **portfolio** | **Portfolios** | Portfolio items |
| post_grid_template | Saved Templates | Post Grid saved templates |
| ep_megamenu_content | Mega Menu Items | Element Pack mega menu |
| post_grid_layout | Saved Layouts | Post Grid saved layouts |

### Portfolio Items (8 - demo/placeholder content)
All dated 2018-05-24 (theme demo content never removed):
- The Basket of Flowers
- A Famous Ferris Wheel
- Complementary Colors
- Business Prestige
- Colorful Origami Boats
- Modern Couch
- Hot Air Balloons
- Make Difference

---

## Security Observations

### Exposure Level
1. **User Enumeration:** 4 user accounts fully exposed with names, slugs, and avatar hashes
2. **Author Endpoint:** `/?author=1` through `/?author=18` accessible
3. **Default admin username:** User ID 1 is literally named "admin" with slug "admin"
4. **Second admin:** User ID 2 is "admin1" - suggests the original admin created a second account
5. **Real names exposed:** Gerard BEOGO and Aissatou BARRA with their slugs (gebeogo, abarra)
6. **Test pages published:** "test" (ID 3503), "Test" (ID 64), and "Sample Page" (ID 2) are all live
7. **Plugin ZIP in media library:** `bdthemes-element-pack-v7.3.0.zip` uploaded twice, suggesting manual plugin installation

### Jetpack Not Connected
Jetpack is installed but not connected to WordPress.com. This means:
- No Jetpack security features active
- No cloud backups via Jetpack
- No brute force protection from Jetpack
- WAF endpoint exists but not functional

### WP Statistics Crawler Detection
The WP Statistics plugin detected our requests as a crawler (`CrawlerDetect` exclusion). This means the site tracks visitor statistics but filters bot traffic.

### API Routes Exposed
1,001 API routes across 32 namespaces are discoverable. While most sensitive endpoints require authentication, the route listing itself reveals the complete plugin and technology stack.

### LiteSpeed Cache
All Gravatar images are cached locally by LiteSpeed, with versioned filenames. This indicates:
- LiteSpeed Cache plugin is active and configured
- Local avatar caching is enabled
- Cache appears to be serving content effectively

### Content Security
- 212 PDF documents publicly accessible via direct URL
- Statistical yearbooks contain CNSS operational data
- Employee examination results contain names of admitted candidates
- Internal forms and administrative documents are downloadable
- Legal/regulatory documents of Burkina Faso social security system

---

## API Access Summary

### Accessible (200 OK, data returned)
- `/wp/v2/posts` - All 204 posts with full content
- `/wp/v2/pages` - All 20 pages with full content
- `/wp/v2/media` - All 1,388 media items with URLs
- `/wp/v2/users` - 4 users with metadata
- `/wp/v2/categories` - 19 categories
- `/wp/v2/tags` - 1 tag
- `/wp/v2/search` - 232 searchable items
- `/wp/v2/types` - 16 registered post types
- `/wp/v2/taxonomies` - 11 taxonomies
- `/wp/v2/statuses` - Post statuses
- `/wp/v2/portfolio` - 8 portfolio items
- `/wp/v2/product_cat` - 1 product category
- `/wc/store/v1/products` - Empty
- `/wc/store/v1/cart` - Empty cart (USD currency)
- `/jetpack/v4/connection` - Connection status (not connected)
- `/oembed/1.0/embed` - oEmbed data
- All namespace root endpoints (route discovery)

### Blocked (401/403)
- `/wc/v3/*` - All WooCommerce admin API endpoints
- `/wp/v2/settings` - Site settings
- `/wp/v2/plugins` - Plugin list
- `/wp/v2/themes` - Theme list
- `/wp/v2/templates` - Templates
- `/wp/v2/menu-items` - Menu items
- `/wp/v2/menus` - Menus
- `/jetpack/v4/site` - Site info
- `/jetpack/v4/module/all` - Module list
- `/jetpack/v4/plugins` - Plugin list
- `/jetpack/v4/options/backup` - Options backup
- `/jetpack/v4/database-object/backup` - DB object backup
- `/elementor/v1/form-submissions` - Form submissions
- `/elementor/v1/forms` - Forms list
- `/contact-form-7/v1/contact-forms` - CF7 forms
- `/yoast/v1/statistics` - SEO statistics
- `/wp-site-health/v1/tests/*` - All health tests
- `/wc-analytics/reports` - Analytics reports

---

## Files Saved

### JSON Data Files
- `api-root.json` - Full API root (1.49 MB, 1001 routes)
- `posts-page1.json` through `posts-page3.json` - 204 posts
- `pages-page1.json` - 20 pages
- `media-page1.json` through `media-page15.json` - 1,388 media items
- `users-page1.json` - 4 users
- `categories-page1.json` - 19 categories
- `tags-page1.json` - 1 tag
- `comments-page1.json` - 0 comments
- `search-page1.json` through `search-page3.json` - 232 search results
- `types.json` - 16 post types
- `taxonomies.json` - 11 taxonomies
- `statuses.json` - Post statuses
- `portfolio.json` - 8 portfolio items
- `product-categories.json` - Product categories
- `product-tags.json` - Product tags
- `products-wp.json` - Products (empty)
- `blocks.json` - Blocks (empty)
- `navigation.json` - Navigation (empty)
- `oembed-homepage.json` - Homepage oEmbed
- `jetpack-connection.json` / `jetpack-connection-full.json` - Connection status
- `jetpack-site.json` - Site info (401)
- `jetpack-modules.json` - Modules (401)
- `jetpack-waf.json` - WAF status (401)
- `jetpack-plugins.json` - Plugins (401)
- `jetpack-db-woocommerce_*.json` - DB backup attempts (401)
- `wc-*.json` - All WooCommerce endpoint responses
- `wp-statistics.json` / `wp-statistics-online.json` / `wp-statistics-hit.json`
- `yoast.json` - Yoast route discovery
- `elementor.json` / `elementor-pro.json` / `elementor-*.json`
- `litespeed-v1.json` / `litespeed-v3.json` / `litespeed-check-ip.json`
- `contact-form-7.json`
- `my-jetpack.json` / `my-jetpack-site.json`
- `health-check.json` / `health-*.json`
- `post-grid.json` / `templately.json` / `media-cleaner.json`
- `wc-admin.json` / `wc-analytics.json` / `wc-telemetry.json`
- `wpcom-v2.json` / `wccom-site-v1.json` / `wccom-site-v2.json`
- `settings.json` / `themes.json` / `plugins.json` / `templates.json` (all 401)

### Text Indices
- `all-routes.txt` - All 1,001 API routes with HTTP methods
- `pdf-urls.txt` - 212 PDF download URLs
- `document-urls.txt` - 216 non-image media URLs
- `all-media-urls.txt` - 1,388 media download URLs

### This Report
- `CNSS-WORDPRESS-INTELLIGENCE.md`

**Total dump size:** ~13 MB across 129+ files

---

## Key Intelligence Takeaways

1. **CNSS is Burkina Faso's national social security agency** - this is their primary public website
2. **212 PDF documents are freely downloadable** including annual statistical yearbooks (2008-2024), recruitment exam results with names, internal forms, and dozens of legal texts
3. **The site has 4 user accounts exposed** with predictable admin usernames ("admin", "admin1") and two real employee names
4. **WooCommerce is installed but unused** - no products, no orders, wrong currency (USD instead of XOF)
5. **Jetpack is installed but not connected** - no cloud security features active
6. **The site was first set up around 2018** (portfolio demo content from May 2018) but migrated content dates back to 2013
7. **Test/sample pages remain published** indicating lax content management
8. **A premium plugin ZIP was uploaded to the media library** rather than installed through the plugin manager, suggesting potentially nulled/pirated software
9. **The eCNSS mobile app and digital platform** is a recent initiative (2025) for digitalizing CNSS services
10. **Content is primarily in French** (official language of Burkina Faso)