# DGI-GOUV.HT -- WordPress REST API Reconnaissance Report

**Target:** https://dgi.gouv.ht (Direction Generale des Impots -- Haiti Tax Authority)
**Date:** 2026-03-04
**Method:** Passive reconnaissance via publicly accessible WordPress REST API endpoints
**Data Directory:** `C:\Users\Squir\Desktop\HAITI\DUMP\DGI-GOUV\`

---

## Tech Stack

| Component | Detail |
|-----------|--------|
| **CMS** | WordPress (French locale) |
| **Hosting** | Hostinger hPanel |
| **Web Server** | LiteSpeed (with LiteSpeed Cache) |
| **PHP Version** | 8.2.29 |
| **SEO Plugin** | All in One SEO Pro v4.6.5 |
| **Page Builder** | Elementor |
| **Theme** | Flavor / OvaTheme framework (ova_dep, ova_doc, ova_por, ova_sev, ova_framework_hf_el custom post types) |
| **Forms** | Contact Form 7, WPForms |
| **Analytics** | MonsterInsights, Google Site Kit |
| **Docs/FAQ** | BetterDocs |
| **Job Board** | Easy Jobs (easyjobs-template.php) |
| **Email Marketing** | MC4WP (Mailchimp for WordPress) |
| **Redirects** | Redirection plugin |
| **Onboarding** | Hostinger Easy Onboarding |
| **AI** | Hostinger AI Assistant |
| **Cache** | LiteSpeed Cache (X-LiteSpeed-Cache: hit) |
| **Security Headers** | Content-Security-Policy: upgrade-insecure-requests |
| **Protocol** | HTTP/3 (alt-svc: h3) |
| **Authentication** | Application Passwords enabled (authorize-application.php endpoint exposed) |
| **GMT Offset** | -5 (Haiti / Eastern Time) |

---

## Content Counts

| Endpoint | Count | Pages | File |
|----------|-------|-------|------|
| **Posts** | 39 | 1 | `posts-p1.json` (1,027,827 bytes) |
| **Pages** | 17 | 1 | `pages-p1.json` (427,663 bytes) |
| **Media** | 250 | 3 | `media-p1.json` through `media-p3.json` (833,293 bytes total) |
| **Categories** | 7 | 1 | `categories.json` |
| **Tags** | 0 | -- | `tags.json` |
| **Users** | 5 | 1 | `users.json` |
| **Comments** | 0 | -- | `comments.json` |
| **Types** | 17 registered | -- | `types.json` |
| **Taxonomies** | 13 registered | -- | `taxonomies.json` |
| **Formations** | 5 | 1 | `formation.json` |
| **Job Posts** | 2 | 1 | `jobpost.json` |
| **BetterDocs FAQ** | 12 | 1 | `betterdocs-faq.json` |
| **Docs** | 0 | -- | `docs.json` (empty) |
| **Statistiques** | 0 | -- | `statistiques.json` (empty) |
| **Discours** | 0 | -- | `discours.json` (empty) |

---

## Exposed Users (5)

| ID | Display Name | Slug | URL | Profile Link |
|----|-------------|------|-----|-------------|
| 1 | **louicent19@gmail.com** | louicent19gmail-com | https://dgi.gouv.ht | https://dgi.gouv.ht/author/louicent19gmail-com/ |
| 2 | Jodelin Desrameaux | jodelin | http://inno100.tech | https://dgi.gouv.ht/author/jodelin/ |
| 27 | La DGI | dgi | -- | https://dgi.gouv.ht/author/dgi/ |
| 30 | **saintfequel@gmail.com** | saintfequelgmail-com | -- | https://dgi.gouv.ht/author/saintfequelgmail-com/ |
| 31 | Fequelson Saint-Cyr | 2010 | http://dgi.gouv.ht | https://dgi.gouv.ht/author/2010/ |

### User OPSEC Findings
- **User ID 1** display name IS their email address: `louicent19@gmail.com` -- primary admin account
- **User ID 30** display name IS their email address: `saintfequel@gmail.com` -- likely Fequelson Saint-Cyr's personal email
- **User ID 31** (Fequelson Saint-Cyr) has slug `2010` suggesting username is a year-based pattern
- **User ID 2** (Jodelin Desrameaux) links to `inno100.tech` -- external tech company/portfolio
- Gravatar hashes exposed for all 5 users (SHA256)

---

## API Namespaces (21)

```
oembed/1.0
aioseo/v1
betterdocs/v1
contact-form-7/v1
essential-blocks/v1
hostinger-easy-onboarding/v1
litespeed/v1
litespeed/v3
redirection/v1
mc4wp/v1
monsterinsights/v1
hostinger-ai-assistant/v1
hostinger-amplitude/v1
hostinger-tools-plugin/v1
google-site-kit/v1
betterdocs
elementor/v1
wpforms/v1
wp/v2
wp-site-health/v1
wp-block-editor/v1
```

---

## Registered Post Types (17)

| Slug | Name | REST Base | Notes |
|------|------|-----------|-------|
| post | Articles | posts | Standard |
| page | Pages | pages | Standard |
| attachment | Attachments | media | Standard |
| nav_menu_item | Menu Items | menu-items | Standard (auth required) |
| wp_block | Compositions | blocks | Gutenberg reusable blocks |
| wp_template | Templates | templates | Block themes |
| wp_template_part | Template Parts | template-parts | Block themes |
| wp_global_styles | Global Styles | global-styles | Block themes |
| wp_navigation | Navigation | navigation | Block themes |
| wp_font_family | Font Families | font-families | WP 6.x |
| wp_font_face | Font Faces | font-families/.../font-faces | WP 6.x |
| **docs** | **FAQ** | docs | BetterDocs (0 items via API) |
| **formation** | **Formations** | formation | Custom (5 items) |
| **statistiques** | **Statistiques** | statistiques | Custom (0 items via API) |
| **discours** | **Discours** | discours | Custom (0 items via API) |
| **jobpost** | **Emplois** | jobpost | Easy Jobs (2 items) |
| **betterdocs_faq** | **BetterDocs FAQ** | betterdocs_faq | BetterDocs (12 items) |

---

## Registered Taxonomies (13)

| Slug | Name | Types | Note |
|------|------|-------|------|
| category | Categories | post | Standard |
| post_tag | Tags | post | Standard (0 used) |
| nav_menu | Navigation Menus | nav_menu_item | Standard |
| wp_pattern_category | Pattern Categories | wp_block | WP 6.x |
| **categorie-formation** | Formation Categories | formation | Custom |
| **doc_category** | Docs Categories | docs | BetterDocs |
| **doc_tag** | Docs Tags | docs | BetterDocs |
| **event_type** | Event Types | event | OvaTheme |
| **jobpost_category** | Job Categories | jobpost | Easy Jobs |
| **jobpost_job_type** | Job Types | jobpost | Easy Jobs |
| **jobpost_location** | Job Locations | jobpost | Easy Jobs |
| **jobpost_tag** | Job Tags | jobpost | Easy Jobs |
| **betterdocs_faq_category** | FAQ Categories | betterdocs_faq | BetterDocs |

---

## Categories (7)

| ID | Name | Slug | Post Count |
|----|------|------|-----------|
| 119 | Actualites | actualites | 34 |
| 122 | Avis | avis | 5 |
| 123 | Communique | communique | 2 |
| 125 | DRSM | drsm | 0 |
| 7 | La DGI | dgi | 5 |
| 124 | Non Classe | non-classe | 0 |
| 1 | Uncategorized | uncategorized | 0 |

---

## Media Breakdown (250 items)

| MIME Type | Count |
|-----------|-------|
| image/jpeg | 85 |
| **application/pdf** | **51** |
| image/png | 30 |
| image/webp | 28 |
| application/vnd.openxmlformats-officedocument.wordprocessingml.document | 3 |
| text/plain | 2 |
| video/mp4 | 1 |

### PDF Documents (51) -- Tax Forms and Official Documents
Most are Haitian tax declaration forms from January 2020, including:
- **TTV** (Taxe sur la Valeur) forms
- **TSP** (Taxe de Solidarite et de Participation) forms
- **TPA** forms
- **TMS** (Taxe sur la Masse Salariale) forms
- **TCV-ANTB** forms
- **TCS** forms
- **TCA** (multiple pages, simplified version) forms
- **Registration forms**: Personne Physique (A), Entreprise individuelle (B), Societe en nom collectif (C), Societe anonyme (D)
- **PATENTE** (business license) forms
- **RAS** (Retenue a la Source) forms
- **IS-F** (Impot sur les Societes) forms
- **IFCA** forms
- **Plus-Values** forms
- **Statut de l'Immeuble** forms
- **TA** forms
- **Droit de Non-Fonctionnement** forms
- **Droit de Licence Mensuel** forms
- **Droit de Fonctionnement** forms
- **Forfaitaire Compagnies** forms
- Company Briefing Update for the Year (English)
- Annual Summary of Active Tax Increment Financing (English)

### DOCX Documents (3)
- Transport Briefing Update for the Year
- Tax Increment Financing Application (2 copies)

### Exposed Log Files (2) -- SECURITY FINDING
- `https://dgi.gouv.ht/wp-content/uploads/2023/04/log_file_2023-04-08__16-55-52.txt` (One Click Demo Import log)
- `https://dgi.gouv.ht/wp-content/uploads/2023/02/log_file_2023-02-27__02-21-19.txt` (One Click Demo Import log)

These log files may reveal theme/plugin import details, file paths, and server configuration.

### Video (1)
- `https://dgi.gouv.ht/wp-content/uploads/2020/07/4K_3.mp4`

---

## Sitemap Structure (AIOSEO Pro)

**Root:** `https://dgi.gouv.ht/sitemap.xml` (19 sub-sitemaps)
**RSS Sitemap:** `https://dgi.gouv.ht/sitemap.rss`
**WP Core Sitemap:** `https://dgi.gouv.ht/wp-sitemap.xml` (disabled/empty)

### Sub-sitemaps:
| Sitemap | Items | Notable URLs |
|---------|-------|--------------|
| post-sitemap.xml | 39 posts | All news/announcements |
| page-sitemap.xml | ~17 pages | Includes FAQ, Contact, Tax Calendar |
| **team-sitemap.xml** | **33 team members** | Full director general history (see below) |
| **ova_sev-sitemap.xml** | **22 services** | All DGI tax services with URLs |
| event-sitemap.xml | 5 events | Including call center launch (105) |
| formation-sitemap.xml | 5 formations | Insurance company training |
| jobpost-sitemap.xml | 2 job posts | Verificateur junior, Business Analyst |
| ova_doc-sitemap.xml | 2 documents | Annual report 2019-2020, Tax code commentary |
| ova_dep-sitemap.xml | 1 department | /ova_dep/dept-1/ |
| ova_por-sitemap.xml | 1 portfolio item | Formulaire A |
| ova_framework_hf_el-sitemap.xml | 3 | Header/footer Elementor templates |
| category-sitemap.xml | categories | |
| cat_doc-sitemap.xml | doc categories | |
| cat_sev-sitemap.xml | service categories | |
| cat_por-sitemap.xml | portfolio categories | |
| event_type-sitemap.xml | event types | |
| jobpost_category-sitemap.xml | job categories | |
| jobpost_job_type-sitemap.xml | job types | |
| post-archive-sitemap.xml | archive pages | |

---

## Team / Directors General (33 Entries from Sitemap)

Full history of DGI directors general exposed at `/equipe/` URLs:
- Jean-Emmanuel Casseus (appears twice -- current and historical)
- Miradin Morlan
- Andral Joseph
- Jean-Baptiste Clarck Neptune
- Robert Joseph
- Jean-Frantz Richard
- John E. Desroches
- Jean-Frantz Theodate
- Jocelerme Privert
- Jean-Joseph Daniel
- Marc-Edouard Bien-Aime
- Diogene Desir
- Andre Lemercier Georges
- Francois Bouzi
- Claude Grand-Pierre
- Serge Salomon
- Wilner Dessources
- Raymond Fourreau
- Amos Durosier
- Odonel Fenestor
- Max Merentier
- Franck Sterlin
- Raymond Pierre-Louis
- Andre Saintlot
- Pierre D. Montes
- Georges E. Roy
- Edme Angrand
- Saint-Louis Jeanty
- Albert Beliard
- Gaston Margron
- Charles de Delva
- Ing. Francois Georges

---

## DGI Tax Services (22 -- from ova_sev sitemap)

1. Taxe Permis de Conduire (Driver's License Tax)
2. Declaration Definitive Impot Revenu (Definitive Income Tax Declaration)
3. La Matricule Fiscale (Tax ID Registration)
4. Les Retenus a la Source (Withholding Tax)
5. Le Revenu Foncier (Property Income)
6. Droit de Licence des Etrangers (Foreign License Fee)
7. Le Droit de Fonctionnement (Operating Fee)
8. Le Droit de Non-Fonctionnement (Non-Operating Fee)
9. La Legalisation des Pieces (Document Legalization)
10. La Patente (Business License)
11. La Carte d'Identite Professionnelle (Professional ID Card)
12. Contribution FGDCT (Local Government Development Fund)
13. Les Traitements et Salaires (Salaries & Wages)
14. Les Revenus des Capitaux Mobiliers (Investment Income)
15. Le Droit de Passeport (Passport Fee)
16. La Caisse d'Assistance Sociale (Social Assistance Fund)
17. Le Fonds d'Urgence (Emergency Fund)
18. Le Quitus Fiscal (Tax Clearance)
19. Regime Forfaitaire Impot sur le Revenu (Flat-Rate Income Tax)
20. L'Acompte Provisionnel (Provisional Tax Installment)
21. Contribution Fonciere Proprietes Baties (Built Property Tax)
22. Taxe sur la Masse Salariale (Payroll Tax)

---

## Security / OPSEC Findings Summary

1. **Email addresses exposed as usernames** -- User IDs 1 and 30 have their Gmail addresses as display names visible via the public users API endpoint
2. **External developer link** -- User "Jodelin Desrameaux" links to `inno100.tech`, likely the web developer/contractor
3. **Application Passwords endpoint exposed** -- `https://dgi.gouv.ht/wp-admin/authorize-application.php` is accessible
4. **Demo import log files publicly accessible** -- Two `One Click Demo Import` log files in `/wp-content/uploads/` may reveal internal paths and configuration
5. **Full AIOSEO route map exposed** -- 90+ API routes visible including admin-level endpoints (htaccess, backup, import/export, plugin management)
6. **All 51 tax form PDFs publicly indexed** -- Downloadable from `/wp-content/uploads/2020/07/`
7. **Gravatar hashes exposed** -- SHA256 hashes for all 5 users, can be used for email verification
8. **Plugin fingerprinting complete** -- 15+ plugins identified via API namespaces
9. **WordPress version likely 6.x** -- Based on font-families API, global-styles, navigation, and block theme support
10. **robots.txt reveals sitemaps** -- Both XML and RSS sitemaps indexed
11. **Custom post types reveal organizational structure** -- Formations, Statistics, Speeches, Job Posts all registered (some empty)
12. **33 named officials exposed** -- Full historical directory of DGI directors general via team sitemap

---

## File Inventory

| File | Size | Description |
|------|------|-------------|
| api-root.json | 474 KB | Full API discovery document with all routes |
| posts-p1.json | 1,004 KB | All 39 posts with full content |
| pages-p1.json | 418 KB | All 17 pages with full content |
| media-p1.json | 340 KB | Media items 1-100 |
| media-p2.json | 256 KB | Media items 101-200 |
| media-p3.json | 218 KB | Media items 201-250 (50 remaining) |
| users.json | 3.6 KB | 5 exposed user accounts |
| categories.json | 4.3 KB | 7 categories |
| tags.json | 2 bytes | Empty array |
| comments.json | 2 bytes | Empty array |
| types.json | 8.7 KB | 17 registered post types |
| taxonomies.json | 5.5 KB | 13 registered taxonomies |
| formation.json | 36.8 KB | 5 training posts |
| jobpost.json | 12.7 KB | 2 job listings |
| betterdocs-faq.json | 38.8 KB | 12 FAQ items |
| docs.json | 2 bytes | Empty |
| statistiques.json | 2 bytes | Empty |
| discours.json | 2 bytes | Empty |
| aioseo-root.json | 25.3 KB | AIOSEO route map (90+ routes) |
| betterdocs-root.json | 5.9 KB | BetterDocs route map |
| elementor-root.json | 6.4 KB | Elementor route map |
| doc-categories.json | 1.5 KB | 2 doc categories |
| jobpost-categories.json | 1.9 KB | 3 job categories |
| jobpost-locations.json | 1.3 KB | 2 job locations |
| jobpost-types.json | 1.3 KB | 2 job types |
| formation-categories.json | 2 bytes | Empty |
| cf7-forms.json | 155 bytes | 403 Forbidden |
| redirection.json | 133 bytes | 401 Unauthorized |
| wpforms.json | 95 bytes | 401 Private |
| menus.json | 139 bytes | 401 Unauthorized |
| menu-items.json | 160 bytes | 401 Unauthorized |
| robots.txt | 155 bytes | robots.txt |
| sitemap.xml | 3.1 KB | AIOSEO sitemap index |
| sitemap.rss | 17.7 KB | RSS sitemap |
| wp-sitemap.xml | 0 bytes | WP core sitemap (disabled) |
| *-sitemap.xml (15 files) | various | All AIOSEO sub-sitemaps |
| *-headers.txt (various) | various | HTTP response headers |

**Total data collected:** ~2.9 MB across 55+ files