# SIAO WordPress REST API Intelligence Report **Target:** siao.bf (Salon International de l'Artisanat de Ouagadougou) **Date:** 2026-03-04 **API Base:** https://siao.bf/wp-json/ **Total Dump Size:** ~1.4 MB --- ## Summary Counts | Endpoint | Count | |-------------|-------| | Posts | 0 | | Pages | 9 | | Media | 56 | | Users | 1 | | Categories | 3 | | Tags | 0 | | Comments | 0 | | Search Items | 20 | --- ## Site Assessment SIAO.bf is a **newly built / under-construction WordPress site**. Evidence: - Zero blog posts published - Only 9 pages (mostly boilerplate) - Default categories still present ("General", "Non classe", "Uncategorized") - SureCart demo/sample products still present - Media uploaded January 2026 (site recently launched) - Single admin user with no profile details --- ## Users Identified | ID | Username | Display Name | Notes | |----|----------|-------------|-------| | 1 | admin | admin | Default WordPress admin account, no description, no URL | Only one user. Using default "admin" username (security anti-pattern). --- ## Pages | ID | Title | Status | Purpose | |----|----------------|---------|---------| | 50 | Accueil | publish | Homepage | | 51 | A propos | publish | About page | | 52 | Services | publish | Services | | 53 | Articles | publish | Blog (empty) | | 54 | Contact | publish | Contact page | | 30 | Boutique | publish | Shop (SureCart) | | 28 | Dashboard | publish | Customer dashboard (SureCart) | | 27 | Checkout | publish | Checkout (SureCart) | | 2 | Page d'exemple | publish | Default WordPress sample page | Default WordPress sample page (ID 2) still published -- confirms site is freshly installed and not fully configured. --- ## Plugin / Namespace Surface | Namespace | Plugin/Purpose | Auth Required | |-----------------------|----------------------------------|--------------| | `surecart/v1` | SureCart (full e-commerce) | TIMEOUT | | `sureforms/v1` | SureForms (form builder) | Unknown | | `surerank/v1` | SureRank (SEO plugin) | Unknown | | `sure-triggers/v1` | SureTriggers (automation) | Unknown | | `spectra/v1` | Spectra (Gutenberg blocks) | Unknown | | `uag/v1` | Ultimate Addons for Gutenberg | Unknown | | `astra/v1` | Astra Theme | Unknown | | `gutenberg-templates/v1` | Starter Templates | Unknown | | `zipwp/v1` | ZipWP (AI website builder) | Unknown | | `zipwp-images/v1` | ZipWP Images | Unknown | | `nps-survey/v1` | NPS Survey | Unknown | ### Notable Findings -- SureCart E-Commerce SureCart exposes a massive API surface with endpoints for: - **Customers** (`/surecart/v1/customers`) -- customer data - **Orders** (`/surecart/v1/orders`) -- order history - **Checkouts** (`/surecart/v1/checkouts`) -- active checkouts - **Products** (`/surecart/v1/products`) -- product catalog - **Subscriptions** (`/surecart/v1/subscriptions`) -- subscription management - **Charges** (`/surecart/v1/charges`) -- payment charges - **Refunds** (`/surecart/v1/refunds`) -- refund records - **Payment Methods** (`/surecart/v1/payment_methods`) -- stored payment methods - **Payment Intents** (`/surecart/v1/payment_intents`) -- payment processing - **Processors** (`/surecart/v1/processors`) -- payment processor config - **Invoices** (`/surecart/v1/invoices`) -- invoice data - **Licenses** (`/surecart/v1/licenses`) -- license management - **Affiliations** (`/surecart/v1/affiliations`) -- affiliate system - **Abandoned Checkouts** (`/surecart/v1/abandoned_checkouts`) -- cart abandonment data - **Exports** (`/surecart/v1/exports`) -- data export functionality - **Downloads** (`/surecart/v1/downloads`) -- digital product downloads - **Fulfillments** (`/surecart/v1/fulfillments`) -- order fulfillment - **Coupons** (`/surecart/v1/coupons`) -- discount codes - **Webhook Endpoints** (`/surecart/v1/webhooks`) -- webhook configuration All SureCart endpoints timed out during testing (60s timeout exceeded). This could indicate: 1. Server-side processing delay 2. SureCart API proxying to external service 3. Firewall/WAF blocking non-browser requests ### SureCart Products (from Search) Demo/sample products still visible in search results: - Multiple Variation Product (ID 35) - Simple Installment Product (ID 40) - Simple Physical Product (ID 41) - Subscription Product With Setup Fee (ID 44) - Name Your Own Price Product (ID 36) - Product Multiple Subscription Options (ID 37) - Single Variable Product (ID 42) - Sale Product (ID 38) - Simple Digital Product (ID 39) - Subscription Product With Free Trial (ID 43) These are all SureCart demo products, confirming the e-commerce is not yet configured for real use. ### Notable Findings -- SureForms A "Simple Contact Form" (ID 231) exists. The SureForms API exposes: - `/sureforms/v1/entries/list` -- form submission entries - `/sureforms/v1/entries/export` -- export form data - `/sureforms/v1/submit-form` -- form submission endpoint - `/sureforms/v1/forms` -- form listing ### Notable Findings -- SureRank SEO SureRank exposes SEO configuration endpoints: - `/surerank/v1/admin/site-settings` -- site SEO settings - `/surerank/v1/robots-txt` -- robots.txt configuration - `/surerank/v1/sitemap/generate-cache` -- sitemap generation - `/surerank/v1/google-search-console/*` -- Google Search Console integration ### Notable Findings -- SureTriggers Automation SureTriggers exposes automation/webhook infrastructure: - `/sure-triggers/v1/automation/triggers` -- automation triggers - `/sure-triggers/v1/connection/create-wp-connection` -- WP connection creation - `/sure-triggers/v1/connection/disconnect` -- connection management --- ## Content Types | Slug | Name | Notable | |----------------|-------------------|---------| | sc_form | Checkout Forms | SureCart | | sc_cart | Carts | SureCart | | sc_product | SureCart Product | SureCart | | spectra-popup | Popup Builder | Spectra | | sureforms_form | Formulaires | SureForms | Heavy reliance on Starter Templates (Brainstorm Force) ecosystem: Astra theme + Spectra + SureForms + SureRank + SureCart. --- ## Media Analysis 56 media items uploaded, all from January 2026: - Site branding: `icone.png`, `logosiao.jpg` (SIAO logo) - Page backgrounds: `services-bg`, `about-bg`, `our-history` images - Multiple image sizes generated (150x150, 300x*, 1024x*) - Upload path: `/wp-content/uploads/2026/01/` --- ## Security Observations 1. **Default "admin" username** -- brute-force target, should be renamed 2. **Default sample page still published** -- site not hardened 3. **SureCart demo products live** -- e-commerce not configured, but full API surface exposed 4. **Massive SureCart API surface** -- customer data, orders, payment methods, charges, refunds, coupons, webhooks all potentially accessible if auth is misconfigured 5. **SureForms entry export endpoint** -- could leak form submission data if unprotected 6. **SureTriggers connection endpoints** -- automation infrastructure exposed 7. **Single admin user** -- no separation of duties 8. **Site appears freshly built** (Jan 2026) -- likely minimal security hardening performed 9. **Full WP REST API exposed** without visible rate limiting 10. **SureCart endpoints timeout** -- may indicate backend issues or external API dependency --- ## Comparison with FESPACO | Metric | FESPACO | SIAO | |---------------|-------------|-------------| | Posts | 1,179 | 0 | | Pages | 164 | 9 | | Media | 2,019 | 56 | | Users | 3 | 1 | | Categories | 89 | 3 | | Comments | 307 | 0 | | Dump Size | 17 MB | 1.4 MB | | Maturity | Established | New/Under construction | | Theme | Divi | Astra | | E-commerce | FasoArzeka | SureCart | | Multilingual | Yes (FR/EN) | No | | SEO Plugin | None visible| SureRank | --- ## Files Dumped - `api-root.json` -- Full API schema (642 KB) - `pages-page1.json` -- 9 pages - `media-page1.json` -- 56 media items - `users-page1.json` -- 1 user - `categories-page1.json` -- 3 categories - `search-page1.json` -- 20 search items - `types.json` -- 16 content types - `taxonomies.json` -- 5 taxonomies