# 2IE-EDU.ORG WordPress REST API Intelligence Report

**Target:** https://2ie-edu.org
**API Root:** https://2ie-edu.org/wp-json/
**Date of Collection:** 2026-03-04
**Organization:** Institut International d'Ingenierie de l'Eau et de l'Environnement (2iE)
**Location:** Ouagadougou, Burkina Faso

---

## Summary Statistics

| Resource | Count |
|----------|-------|
| Posts | 377 |
| Pages | 167 |
| Media Items | 299 |
| Comments | 267 |
| Search Index Entries | 726 |
| WPDM Downloads | 146 |
| Categories | 22 |
| Tags | 47 |
| Job Listings | 2 |
| Teachers/Faculty | 4 |
| Layout Blocks | 7 |
| API Namespaces | 27 |
| API Routes | 392 |
| Unique Commenters | 228 |
| **Total Files Dumped** | **104** |
| **Total Data Size** | **10.3 MB** |

## Post Date Range

- **Oldest post:** 2019-07-02T00:36:42
- **Newest post:** 2026-02-19T18:23:40
- **Active publishing period:** ~2019 to present (Feb 2026)

## Author IDs Found (in posts/pages)

Author IDs: [1, 2, 3, 8, 9, 10]

- Author enumeration via `/wp/v2/users` and `/?author=N` is **blocked** (403/401)
- 6 unique author IDs found across content: 1, 2, 3, 8, 9, 10
- Author 3: 260 posts
- Author 9: 60 posts
- Author 10: 29 posts
- Author 8: 28 posts

## Contact Information Discovered

- **Organization email:** 2ie@2ie-edu.org
- **Phone:** +226 25 49 28 00
- **Website:** https://www.2ie-edu.org
- **Physical addresses:**
  - 2iE - Institut International d'Ingenierie de l'Eau et de l'Environnement, Ouagadougou, Burkina Faso
  - SALLE DES BANQUETS - OUAGA 2000, Ouagadougou, Burkina Faso
  - Kamboinse campus (referenced in procurement documents)

## Interesting Findings

### 1. Procurement Documents Exposed (WPDM - 146 items)

The WordPress Download Manager contains **146 downloadable documents**, primarily:
- **140 procurement/tender documents** (Appels d'offres category)
- **18 Mastercard Foundation scholarship documents** (Appels a candidature mastercard)
- Includes: security company recruitment, cleaning services contracts, laboratory equipment purchases, vehicle acquisitions, consultant recruitment, and strategic planning documents
- Internal reference numbers visible (e.g., N 2025/178/DSG-2iE/PS, N 2024/156/DEAA-2iE/AF)
- Documents reveal internal organizational structure: DSG (Direction des Services Generaux), DEAA, DSI, DG

### 2. PDF and Word Documents in Media Library

- **36 PDF files** directly accessible via wp-content/uploads/
- **11 Word documents** (.doc/.docx) directly accessible
- Notable files:
  - `RAPPORT-RSE-2024-IMPRIMMABLE.pdf` - Corporate Social Responsibility report
  - `Catalogue-de-Formation-en-IA-2026.pdf` - AI Training catalog
  - `CATALOGUE-RESUME-DES-FORMATIONS-2025-2026.pdf` - Full course catalog
  - `POLITIQUE-DINCLUSION-PERSONNES-HANDICAPEES-2IE.pdf` - Disability inclusion policy
  - `Tutoriel-GLPI-DSG-DSI-Plateforme-dassistance-aux-utilisateurs-de-2iE.pdf` - Internal IT help desk tutorial (GLPI)
  - `IA_Automatisation_Secretariat_OK.pdf` - AI automation for secretarial work
  - `NEWSLETTER-2iE-N6_3EME-TRIMESTRE-2025.pdf` - Internal newsletter
  - Pre-registration forms (.doc) for various training programs
  - Candidate shortlists with names for Mastercard scholarship programs (EREE, EMIH, BGIS, ANC cohorts)

### 3. Internal IT Infrastructure Hints

- Uses **GLPI** for IT service management (help desk platform)
- **SiteGround** hosting (siteground-optimizer and siteground-settings plugins)
- **Wordfence** WAF/firewall active
- **WP Smush** for image optimization (WPMU DEV subscription)
- **Hub Connector** plugin (WPMU DEV dashboard)
- **Popup Maker** for site popups
- **The Events Calendar** (Tribe) for event management
- **WP Download Manager** for document distribution
- **Contact Form 7** for web forms
- **FooGallery** for image galleries
- **NotificationX** for social proof notifications
- **Safe SVG** for SVG upload support
- **Meow Analytics** for analytics
- **WP Job Manager** (WPJM) for job listings
- **Yoast SEO** (referenced in routes)

### 4. Plugin Stack (27 namespaces, 392 routes)

| Plugin | Status | Notes |
|--------|--------|-------|
| WordPress Core (wp/v2) | ACCESSIBLE | Full content dump obtained |
| FooGallery (foogallery/v1) | BLOCKED | Galleries require auth |
| Contact Form 7 | BLOCKED | Forms require auth |
| WP Download Manager (wpdm) | PARTIALLY ACCESSIBLE | 146 documents via wpdmpro, search works |
| The Events Calendar (tribe) | ACCESSIBLE | 0 current events, 2 venues, 1 organizer |
| Popup Maker | PARTIALLY ACCESSIBLE | Themes visible, popups/CTAs blocked |
| Wordfence | BLOCKED | Scan issues require auth |
| NotificationX | MOSTLY BLOCKED | Builder schema visible |
| SiteGround Optimizer | ACCESSIBLE | Configuration schema exposed |
| SiteGround Settings | ACCESSIBLE | Settings schema exposed |
| WP Smush | ACCESSIBLE | API schema visible |
| Hub Connector | ACCESSIBLE | WPMU DEV connection info |
| WP Logo Showcase | ACCESSIBLE | API info visible |
| Meow Analytics | NO DATA | Empty namespace |
| Safe SVG | NO DATA | Empty namespace |
| Flavor (5 endpoints) | NO DATA | All return no route |
| WPJM Internal | ACCESSIBLE | Job manager internal routes |
| oEmbed | ACCESSIBLE | Standard embed discovery |

### 5. Comments Contain Personal Information

- **228 unique commenters** across 267 comments
- Several commenters leaked personal info in URL fields:
  - James chany George gatleak: http://www%20jameschanygatleak@gmail.com
  - Jeannor GERMAIN: http://germainjeannor425@gmail.com
  - WANDAOGO: http://wangoharouna119@gmail.com
  - DOSSO FALIKOU LUDOVIC: http://2ie@2ie-edu.org
  - Ndame mbappe Moussinga Alfred: http://tonnytp2@gmail.com
  - WALMI TAOLAM BASSAMI: http://walmiabdias4@gmail.com
  - Tibiri Cédric FOROZA JUNIOR: http://cedrictibiri@yahoo.fr
  - Nouradine Ahmat Mahamat Saleh: http://nouradineahmatmahamatsaleh@gmail.com
- Phone numbers found in URL fields (e.g., 22379276447, +226 50101826)
- All commenters have SHA256 gravatar hashes (usable for email verification)
- "Webmaster" account visible in comments (2 comments)

### 6. Organizational Structure (from page titles and content)

- **Departments:** STI (Sciences Techniques de l'Ingenieur), DEAA, DSG (Direction des Services Generaux), DSI (Direction des Systemes d'Information)
- **Laboratories:** LEHSA, LEMHaD, LabEREE-2iE
- **Programs:** CEA (Centre d'Excellence Africain), ANC, EREE, EMIH, BGIS
- **Partners:** Fondation Mastercard, UEMOA, Centrale (Centrale-2iE African Bachelor of Engineering), FONRID
- **Internal systems referenced:** GLPI (IT ticketing), RAIBAUD conference room (videoconferencing)

### 7. WordPress Configuration

- **23 custom post types** including: post, page, attachment, job_listing, wpdmpro, tribe_venue, tribe_organizer, tribe_events, popup, popup_theme, pum_cta, layout_block, teacher, nx_bar_eb, tec_calendar_embed
- **9 taxonomies** including: category, post_tag, job_listing_type, wpdmcategory, wpdmtag, tribe_events_cat
- **7 post statuses** including: publish, expired, tribe-ea-success, tribe-ea-failed, tribe-ea-schedule
- Site language: **French (fr)**
- User registration: **blocked** (API returns 401 for user listing)
- Author enumeration: **blocked** (403 on /?author=N)

### 8. Media MIME Type Distribution

| MIME Type | Count |
|-----------|-------|
| image/jpeg | 246 |
| application/pdf | 36 |
| application/msword | 8 |
| image/png | 6 |
| application/vnd.openxmlformats-officedocument.wordprocessingml.document | 3 |

### 9. Security Assessment Notes

- User enumeration properly blocked
- Contact Form 7 properly restricted
- FooGallery properly restricted
- Wordfence WAF active
- Settings endpoint properly restricted
- Menu structure restricted
- **However:** WPDM documents and all post/page content freely accessible
- **However:** All media upload URLs exposed with full server paths
- **However:** Comment section exposes personal data (names, URLs, gravatar hashes)
- **However:** Internal documents (RSE reports, GLPI tutorials, newsletters) publicly accessible

## Categories (22 total)

| ID | Name | Post Count |
|----|------|-----------|
| 51 | Actualité | 331 |
| 96 | ANC | 3 |
| 122 | Appel à candidature | 6 |
| 70 | Appel d'offre | 3 |
| 67 | CEA | 23 |
| 80 | coronavirus | 4 |
| 127 | Doctoriales 2023 | 1 |
| 16 | Events | 3 |
| 128 | Fichier libre | 1 |
| 123 | FILE IN AFRICA | 45 |
| 69 | Galerie | 2 |
| 131 | Newsletter | 4 |
| 1 | Non classé | 12 |
| 72 | Opportunité incubateur | 3 |
| 148 | RSE | 3 |
| 126 | SEGECOS | 1 |
| 17 | Services | 0 |
| 139 | Soutenance de thèse | 16 |
| 110 | success stories | 8 |
| 18 | Uncategorized | 0 |
| 78 | vidéo | 2 |
| 105 | vidéos | 5 |

## WPDM Download Categories

| ID | Name | Document Count |
|----|------|---------------|
| 129 | Appels à candidature mastercard | 18 |
| 34 | Appels d'offres | 140 |
| 36 | General | 2 |
| 35 | Postes vacants | 0 |

## Endpoints Tested But Blocked (401/403)

- `/wp/v2/users` - User listing blocked
- `/wp/v2/settings` - Settings blocked
- `/contact-form-7/v1/contact-forms` - Contact forms blocked
- `/foogallery/v1/galleries` - Photo galleries blocked
- `/popup-maker/v2/popups` - Popups blocked
- `/popup-maker/v2/ctas` - CTAs blocked
- `/wordfence/v1/scan/issues` - Scan issues blocked
- `/wpdm/v1/media/protected` - Protected media blocked
- `/wpdm/v1/media/private-storage` - Private storage blocked
- `/wpdm/v1/media/protection-settings` - Protection settings blocked
- `/notificationx/v1/nx` - Notifications blocked
- `/notificationx/v1/feedback-entries` - Feedback blocked
- `/wp/v2/menu-items` - Menu items blocked
- `/wp/v2/menus` - Menus blocked
- `/wp/v2/templates` - Templates blocked

## Files Dumped

| File | Size |
|------|------|
| api-root.json | 560.4 KB |
| blocks.json | 2 B |
| categories-page1.json | 13.8 KB |
| cf7-contact-forms.json | 155 B |
| comments-page1.json | 125.9 KB |
| comments-page2.json | 126.5 KB |
| comments-page3.json | 88.2 KB |
| flavor-flavor-api.json | 183 B |
| flavor-flavor.json | 183 B |
| flavor-flavor2.json | 183 B |
| flavor-v1.json | 183 B |
| flavor-v2.json | 183 B |
| foogallery-galleries.json | 162 B |
| foogallery-root.json | 620 B |
| global-styles.json | 183 B |
| hub-connector.json | 1012 B |
| job-listings-page1.json | 3.8 KB |
| layout-blocks.json | 97.0 KB |
| media-page1.json | 366.0 KB |
| media-page2.json | 350.8 KB |
| media-page3.json | 361.2 KB |
| menu-items.json | 160 B |
| menus.json | 139 B |
| meow-analytics.json | 183 B |
| navigation.json | 2 B |
| notificationx-feedback.json | 133 B |
| notificationx-items.json | 2 B |
| notificationx-nx.json | 133 B |
| notificationx.json | 12.6 KB |
| oembed-embed.json | 2.1 KB |
| oembed-root.json | 1.8 KB |
| pages-page1.json | 1.1 MB |
| pages-page2.json | 957.3 KB |
| popup-maker-ctas.json | 107 B |
| popup-maker-popups.json | 107 B |
| popup-maker-themes.json | 9.1 KB |
| popup-maker-v1.json | 1.7 KB |
| popup-maker-v2.json | 47.9 KB |
| posts-page1.json | 1.4 MB |
| posts-page2.json | 1.0 MB |
| posts-page3.json | 710.6 KB |
| posts-page4.json | 503.0 KB |
| pum-analytics.json | 145 B |
| pum-v1.json | 753 B |
| safe-svg.json | 183 B |
| search-page1.json | 59.4 KB |
| search-page2.json | 57.6 KB |
| search-page3.json | 56.3 KB |
| search-page4.json | 58.8 KB |
| search-page5.json | 58.6 KB |
| search-page6.json | 55.1 KB |
| search-page7.json | 47.3 KB |
| search-page8.json | 12.4 KB |
| settings.json | 133 B |
| siteground-optimizer.json | 16.6 KB |
| siteground-settings.json | 704 B |
| statuses.json | 1.5 KB |
| tags-page1.json | 36.1 KB |
| taxonomies.json | 3.8 KB |
| teacher-page1.json | 117.9 KB |
| templates.json | 182 B |
| tribe-categories.json | 124 B |
| tribe-doc.json | 54.7 KB |
| tribe-events-page1.json | 210 B |
| tribe-organizers.json | 623 B |
| tribe-tags.json | 3.3 KB |
| tribe-venues.json | 1.2 KB |
| types.json | 14.3 KB |
| users-embed.json | 108 B |
| users-page1.json | 108 B |
| wordfence-root.json | 2.3 KB |
| wordfence-scan-issues.json | 107 B |
| wp-logo-showcase.json | 814 B |
| wp-smush.json | 652 B |
| wp-tribe-events-cat.json | 2 B |
| wp-tribe-events-page1.json | 2 B |
| wp-tribe-organizer.json | 1.3 KB |
| wp-tribe-venue.json | 2.5 KB |
| wpdm-categories.json | 2.7 KB |
| wpdm-private-storage.json | 133 B |
| wpdm-protected-media.json | 133 B |
| wpdm-protection-settings.json | 133 B |
| wpdm-root.json | 2.3 KB |
| wpdm-root2.json | 1.7 KB |
| wpdm-search-page1.json | 58.7 KB |
| wpdm-search-page10.json | 58.7 KB |
| wpdm-search-page11.json | 58.7 KB |
| wpdm-search-page12.json | 58.7 KB |
| wpdm-search-page13.json | 58.7 KB |
| wpdm-search-page14.json | 58.7 KB |
| wpdm-search-page15.json | 58.7 KB |
| wpdm-search-page2.json | 58.7 KB |
| wpdm-search-page3.json | 58.7 KB |
| wpdm-search-page4.json | 58.7 KB |
| wpdm-search-page5.json | 58.7 KB |
| wpdm-search-page6.json | 58.7 KB |
| wpdm-search-page7.json | 58.7 KB |
| wpdm-search-page8.json | 58.7 KB |
| wpdm-search-page9.json | 58.7 KB |
| wpdm-search.json | 58.7 KB |
| wpdm-tags.json | 1.9 KB |
| wpdmpro-page1.json | 729.9 KB |
| wpdmpro-page2.json | 283.5 KB |
| wpjm-promoted-jobs.json | 11 B |

**Total: 104 files, 10.3 MB**

## Next Steps / Recommendations

1. **Download the PDF/Word documents** from the media library URLs for content analysis
2. **Gravatar hash lookup** - The 228 commenter gravatar hashes can potentially be reversed to email addresses
3. **WPDM document analysis** - The 146 procurement documents may contain internal contacts, budgets, organizational details
4. **Internal naming patterns** - Reference numbers like N 2025/178/DSG-2iE/PS reveal internal document numbering scheme
5. **Scholarship candidate lists** - Pre-selection results PDFs contain names of applicants
6. **GLPI instance** - Look for the GLPI help desk platform which may be publicly accessible
7. **SiteGround hosting** - May provide additional attack surface via cPanel or SiteGround tools