# FESPACO WordPress REST API Intelligence Report **Target:** fespaco.bf (Pan-African Film and Television Festival of Ouagadougou) **Date:** 2026-03-04 **API Base:** https://fespaco.bf/wp-json/ **Total Dump Size:** ~17 MB --- ## Summary Counts | Endpoint | Count | |-------------|--------| | Posts | 1,179 | | Pages | 164 | | Media | 2,019 | | Users | 3 | | Categories | 89 | | Tags | 0 | | Comments | 307 | | Search Items | 1,343 | --- ## Users Identified | ID | Username | Display Name | Gravatar Hash | |----|-------------|-------------------|---------------| | 2 | etienneb | Etienne Bougouma | 973b97b3460a1288340fae9a06955dfc | | 7 | admin | admin | 51ae7307cf45f9cc0de57896fe8d995423a795cef6a68e692dab78d09b5a734f | | 13 | diabo | Aichatou DIABO | 71d9db39d2594f07b9fe27a707be991371025fb2e5d147045ffbd1c6afd0d3ae | - User "etienneb" (Etienne Bougouma) has URL set to https://fespaco.bf -- likely site administrator or webmaster. - Gravatar hashes exposed for all 3 users (can be used for email enumeration). --- ## Plugin / Namespace Surface | Namespace | Plugin/Purpose | Auth Required | |--------------------|-----------------------------------|--------------| | `gf/v2` | Gravity Forms (forms + entries) | YES (401) | | `jetpack/v4` | Jetpack (connection, sync, stats) | YES (401) | | `jetpack-boost-ds` | Jetpack Boost (performance) | YES (401) | | `wp-super-cache/v1`| WP Super Cache | YES (401) | | `pll/v1` | Polylang (multilingual) | NO (200) | | `divi/v1` | Divi Theme Builder | Partial | | `fasoarzeka/v1` | FasoArzeka (payment gateway) | NO (200) | | `burst/v1` | Burst Statistics (analytics) | Unknown | | `wpcom/v2` | WordPress.com integration | YES | | `my-jetpack/v1` | My Jetpack | YES | ### Notable Findings -- FasoArzeka Payment Gateway A custom REST API namespace `fasoarzeka/v1` is exposed with: - `/fasoarzeka/v1/callback` -- GET/POST endpoint (payment callback, no auth parameters listed) - `/fasoarzeka/v1/receipt/(?P\d+)` -- GET endpoint requiring `entry_id` and `token` parameters FasoArzeka appears to be a Burkinabe mobile money / payment integration. The receipt endpoint accepts sequential `entry_id` values, which could potentially be enumerated if tokens are weak or predictable. ### Notable Findings -- Gravity Forms Gravity Forms v2 API is present with endpoints for forms, entries, notes, notifications, feeds, submissions, and results. All returned 401 (authentication required), but the presence confirms form data collection is active on the site. ### Notable Findings -- Divi Theme Divi Builder REST endpoints are exposed. The `get_layout_content` and `builder_edit_data` endpoints accept POST with `id` and `nonce` parameters. Nonce required, but layout IDs could be brute-forced if nonce validation is weak. --- ## Language Configuration (Polylang) | Language | Slug | Content Items | |----------|------|--------------| | Francais | fr | 745 | | English | en | 598 | Site is bilingual (French primary, English secondary). French home: https://fespaco.bf/ | English home: https://fespaco.bf/en/welcome-to-fespaco/ --- ## Content Types | Slug | Name | |---------------|------------------------| | post | Articles | | page | Pages | | attachment | Media Files | | project | Projets | | jb_store_css | Posts (CSS storage) | | wp_block | Compositions | | wp_template | Templates | | nav_menu_item | Navigation Menu Items | Custom post type `project` with associated `project_category` and `project_tag` taxonomies -- used for FESPACO film projects. --- ## Categories (Notable) - **Fespaco News** (ID 4): 216 posts -- main news category - **FESPACO Shorts 2025** (ID 434/436): 33-34 posts -- short film selections - **Animation 2025** (ID 442/444): 18 posts -- animation selections - **Burkina Films 2025** (ID 430/432): 19 posts - **FESPACO Classics 2025** (ID 458/460): 20 posts - **FESPACO VR** (ID 811/817): 6 posts -- virtual reality content - **Catalogue Films 2025** (ID 751): 16 posts -- full film catalog - **Catalogue societe 2025** (ID 768): 8 posts -- production company catalog Categories appear in duplicated French/English pairs (bilingual setup via Polylang). --- ## Recent Posts Analysis Most recent posts are from February 2026 and announce the **30th edition FESPACO 2027**: - Call for films for FESPACO 2027 - Official selection rules and registration conditions - International and plural selection committee Earlier posts from March 2025 cover **FESPACO 2025 (29th edition)** results: - "L'Homme-Vertige" by Malaury Eloi Paisley won Documentary Golden Stallion of Yennenga - Dani Kouyate honored with Golden Stallion of Yennenga - Film entries: ORIGEN, DAKAR FAAN CLUB, NDOKETTE --- ## Comment Spam Analysis Total comments: 307 - **Identified spam**: ~16 spam author names detected (gambling: slot 10k, togel, pestoto, empire88, casino, toto togel, hptoto, depo 10k) - **Other authors**: 258 unique names - Spam content suggests lack of anti-spam filtering (no Akismet or similar) - No email addresses exposed in comment data --- ## Security Observations 1. **Gravatar hashes exposed** for all 3 users -- can be used for email discovery via rainbow tables 2. **FasoArzeka payment gateway** callback endpoint publicly accessible -- potential for payment manipulation testing 3. **Receipt endpoint** with sequential IDs -- IDOR potential if token validation is weak 4. **Comment spam present** -- indicates weak or absent anti-spam measures 5. **Gravity Forms active** -- form submission data being collected (auth-protected) 6. **Divi Builder endpoints** -- layout content retrieval possible if nonce bypass found 7. **Full WP REST API exposed** without rate limiting observed 8. **1,179 posts + 2,019 media items** fully enumerable -- complete content extraction achieved --- ## Files Dumped - `api-root.json` -- Full API schema (417 KB) - `posts-page[1-12].json` -- 1,179 posts across 12 pages - `pages-page[1-2].json` -- 164 pages - `media-page[1-24].json` -- 2,019 media items across 24 pages - `users-page1.json` -- 3 users - `categories-page1.json` -- 89 categories - `comments-page[1-4].json` -- 307 comments - `search-page[1-14].json` -- 1,343 search items - `types.json` -- 13 content types - `taxonomies.json` -- 6 taxonomies - `pll-languages.json` -- Polylang language config - `fasoarzeka-root.json` -- Payment gateway namespace - `divi-root.json` -- Divi Builder namespace - `gf-forms.json` -- Gravity Forms (401 - auth required) - `gf-entries.json` -- Gravity Forms entries (401 - auth required) - `jetpack-site.json` -- Jetpack site info (401 - auth required) - `supercache-stats.json` -- WP Super Cache (401 - auth required)