# CNSS WordPress (cnssbf.org) - Intelligence Report
**Date:** 2026-03-04
**Target:** https://cnssbf.org
**Platform:** WordPress 6.5.5 + WooCommerce 8.2.2

---

## Summary

The Caisse Nationale de Securite Sociale (CNSS) of Burkina Faso runs a publicly accessible WordPress instance at cnssbf.org with extensive REST API exposure. All standard WordPress REST endpoints are unauthenticated and returned full data including user enumeration, complete post/page content, and media library metadata.

## Data Extracted

| Endpoint | Records | Pages | Notes |
|----------|---------|-------|-------|
| /wp/v2/posts | **204** | 3 | Full content, dates back to site creation |
| /wp/v2/pages | **20** | 1 | All published pages including test pages |
| /wp/v2/media | **1,288** | 15 | Complete media library with source URLs |
| /wp/v2/users | **4** | 1 | Full user enumeration (see below) |
| /wp/v2/categories | **19** | 1 | Organizational structure revealed |
| /wp/v2/tags | **1** | 1 | Minimal tagging |
| /wp/v2/comments | **0** | - | Comments disabled or empty |
| /wp/v2/search | **232** | 3 | Full search index |
| /wp/v2/types | all | - | Custom post types including portfolio |

**Total dump size:** ~14 MB (126 JSON files)

## User Enumeration (Critical)

| ID | Slug | Display Name | Profile URL |
|----|------|-------------|-------------|
| 1 | admin | admin | https://cnssbf.org/?author=1 |
| 2 | admin1 | admin1 | https://cnssbf.org/?author=2 |
| 17 | gebeogo | Gerard BEOGO | https://cnssbf.org/?author=17 |
| 18 | abarra | Aissatou BARRA | https://cnssbf.org/?author=18 |

- Two generic admin accounts (admin, admin1) - poor naming hygiene
- Two named staff accounts with real names exposed
- Gap in IDs (2 -> 17) suggests deleted users or accounts created in non-sequential order

## Plugin/Technology Stack Identified

| Component | Version/Details |
|-----------|----------------|
| WordPress | 6.5.5 |
| WooCommerce | 8.2.2 (store active, USD currency, US shipping default) |
| Yoast SEO | 21.9.1 |
| Jetpack | Active (connected) |
| LiteSpeed Cache | Active (v1 + v3 APIs exposed) |
| Elementor + Elementor Pro | Active |
| Contact Form 7 | Active |
| WP-Statistics | Active (hit tracking, online counter) |
| Templately | Active |
| Post Grid | Active |
| Media Cleaner | Active |
| LiteSpeed | Web server |

## WooCommerce Findings

- Store is active with USD ($) currency (unusual for Burkina Faso - should be XOF/CFA Franc)
- Default shipping address set to California, US (default WooCommerce config, never changed)
- Empty cart endpoint fully accessible
- Product categories exist (5,470 bytes of category data) but no public products listed
- Analytics endpoint exists but requires authentication
- Payment gateways endpoint requires authentication

## Exposed API Namespaces (from api_root.json - 1.5MB)

The full REST API root reveals all registered routes including:
- wp/v2/* (standard WordPress)
- wc/v1/*, wc/v2/*, wc/v3/* (WooCommerce admin APIs - auth required)
- wc/store/v1/* (WooCommerce Store API - partially open)
- jetpack/v4/* (Jetpack routes)
- wp-statistics/v2/* (traffic statistics)
- elementor/v1/* (page builder)
- contact-form-7/v1/* (forms)
- yoast/v1/* (SEO)
- litespeed/v1/*, litespeed/v3/* (caching)
- wpcom/v2/* (WordPress.com integration)
- wp-site-health/v1/* (site health checks)

## Key Observations

1. **No rate limiting detected** on any API endpoint
2. **User enumeration fully open** - attacker can enumerate all usernames for brute-force
3. **WooCommerce misconfigured** - USD currency and US address for a Burkinabe institution
4. **Test pages in production** - "test" and "Sample Page" still published
5. **1,288 media items** with full source URLs - potential for bulk media download
6. **204 posts** spanning organizational news, policy announcements, communiques
7. **Jetpack connected** - indicates WordPress.com account linkage
8. **WP-Statistics online counter** accessible without auth - can track admin activity
9. **Complete organizational structure** visible through categories (departments, services)
10. **LiteSpeed avatar caching** exposed - cached Gravatar hashes visible in user data

## Files in This Dump

- `posts_page[1-3].json` - 204 posts with full rendered HTML content
- `pages_page1.json` - 20 pages with full content
- `media_page[1-15].json` - 1,288 media items with URLs and metadata
- `users_page1.json` - 4 users with profile data and avatar hashes
- `categories_page1.json` - 19 content categories
- `tags_page1.json` - Tags
- `search_page[1-3].json` - 232 search index entries
- `types.json` - Custom post type definitions
- `api_root.json` - Complete REST API route map (1.5MB)
- `jetpack.json` - Jetpack configuration routes
- `yoast.json` - Yoast SEO routes
- `wp_statistics.json` - Statistics API routes
- `wc_cart.json` - WooCommerce cart state
- Plus 110+ additional plugin/API response files