# MD.GOUV.HT -- Ministere de la Defense d'Haiti
## WordPress REST API Full Dump Report
**Date:** 2026-03-04
**Target:** https://md.gouv.ht
**Method:** WordPress REST API (unauthenticated)

---

## TECH STACK

| Component | Value |
|-----------|-------|
| CMS | WordPress (latest, French locale) |
| PHP | 8.2.28 |
| Theme | Astra (page builder theme) |
| Page Builder | Elementor (Pro) + Elementor AI |
| Security Plugin | iThemes Security (Solid Security) |
| Form Plugin | Forminator |
| Popup Plugin | Brave Popup Builder |
| Code Snippets | Code Snippets Pro |
| SEO | None (Yoast NOT installed -- 404 on Yoast endpoint) |
| AI/Builder | ZipWP (AI site builder), Gutenberg Templates |
| WPMU DEV | Plugin Cross Sell present |
| Hub Connector | WPMU DEV Hub Connector |
| XML-RPC | ENABLED (accepts POST requests) |
| Application Passwords | ENABLED (auth endpoint exposed) |
| SSL | Yes (HTTPS) |
| Dev Origin | `http://laministeredf.local/` (leaked in navigation GUID) |

---

## USERS (2 accounts found)

| ID | Name | Slug (Username) | Role | Gravatar SHA256 |
|----|------|-----------------|------|-----------------|
| 1 | PRL | **admindev** | Administrator (primary) | `33e54dec0cd79fc4b5e911c15f836c46ec8d0e452ecd3ca5f707bce0a3540a3b` |
| 5 | Jean Guiteau LAFAYE | **ljguy** | Author/Editor | `6b4719d9a34c5d7ba29291ddeeb52119771098992822832fb2cdee5b384422bb` |

- **Author pages:** `/author/admindev/` and `/author/ljguy/`
- User "admindev" (ID 1) is clearly the site administrator -- username suggests a dev account left in production
- Jean Guiteau LAFAYE (ljguy) is the primary content author (21 of 22 posts)
- Gravatar hashes can be used for email reverse lookups

---

## CONTENT COUNTS

| Content Type | Count |
|-------------|-------|
| Posts | 22 |
| Pages | 20 |
| Media Items | 168 |
| Categories | 6 |
| Tags | 5 |
| Comments | 1 |
| Navigation Menus | 1 |
| Popups | 1 |
| Search Results | 45 |

### Media Breakdown
| Type | Count |
|------|-------|
| image/jpeg | 130 |
| application/pdf | 19 |
| image/png | 11 |
| video/mp4 | 8 |

### Upload Date Distribution
| Period | Files |
|--------|-------|
| 2024/06 | 23 |
| 2024/07 | 27 |
| 2024/08 | 45 |
| 2024/10 | 19 |
| 2024/11 | 21 |
| 2024/12 | 13 |
| 2025/06 | 1 |
| 2025/07 | 15 |
| 2026/02 | 4 |

---

## API NAMESPACES (25 total)

```
ithemes-security/rpc
ithemes-security/v1
oembed/1.0
code-snippets/v1
elementor-one/v1
zipwp/v1
brave/v1
astra/v1
elementor/v1/documents
elementor/v1
elementor-ai/v1
elementor/v1/feedback
hub-connector/v1
one-onboarding/v1
forminator/v1
wpmudev_pcs/v1
getting-started/v1
zipwp-images/v1
nps-survey/v1
gutenberg-templates/v1
bsf-core/v1
wp/v2
wp-site-health/v1
wp-block-editor/v1
wp-abilities/v1
```

**Total API routes exposed:** 375

---

## CATEGORIES

| ID | Name | Slug | Post Count |
|----|------|------|------------|
| 13 | A la Une | a-la-une | 12 |
| 8 | FAd'H | solution-de-fadh | 8 |
| 10 | le ministere | le-peuple | 19 |
| 9 | le ministere evenement | md | 2 |
| 3 | ministere operation | ministere-operation | 1 |
| 1 | Uncategorized | uncategorized | 0 |

## TAGS

| ID | Name | Slug | Post Count |
|----|------|------|------------|
| 16 | #Defense | defense | 1 |
| 17 | #FAd'H | fadh | 2 |
| 15 | #Haiti | haiti | 1 |
| 18 | Nomination | nomination | 1 |
| 19 | Securite | securite | 1 |

---

## INTERESTING FINDINGS

### 1. Dev Environment Leak
The navigation menu (ID 5) GUID reveals the local development domain:
```
http://laministeredf.local/navigation/
```
This tells us the site was built locally as "laministeredf" before deployment.

### 2. Admin Username = "admindev"
The primary administrator account (ID 1) uses the slug **admindev**, a classic developer account name left in production. This is the WordPress user ID 1 (super admin).

### 3. Military Recruitment PDFs -- Personnel Lists
19 PDFs are publicly accessible containing **lists of eligible military postulants/candidates** for the Forces Armees d'Haiti (FAd'H). These include:
- `Liste-de-Postulants-eligibles-pour-prendre-part-aux-examents.pdf` (multiple versions)
- `CONSIGNES-POUR-LE-CONCOURS.pdf`
- Daily registration lists (Aug 13-29, 2024) with full names
- `liste-mardi-13-recrutement.pdf`
- ISBN book: `9782379350283.pdf`

**All accessible at:** `https://md.gouv.ht/wp-content/uploads/2024/08/`

### 4. FAd'H Recruitment Forms
Active military recruitment forms are exposed:
- `/formulaire-de-formation-du-fadh/` -- Training enrollment form
- `/formulaire-dinscription-fadh/` -- FAd'H Inscription Form 2026
- Age limits: 25 years (corps d'armes), 35 years (cadres)

### 5. Employee/Military Portal
Page at `/newsletter/` (ID 2101) titled "Employes du MD/FAd'H" is a restricted registration page for Ministry of Defense employees and FAd'H members. The `[newsletter]` shortcode suggests a Forminator or similar form.

### 6. Login/Registration System Exposed
Full user management system with pages:
- `/login/` -- Login
- `/register/` -- Registration
- `/account/` -- User account
- `/members/` -- Members listing
- `/password-reset/` -- Password reset
- `/logout/` -- Logout
- `/user/` -- User profile

### 7. Contact Information
- **Address:** Angle rues Geffrard et de la Republique, Champs-de-Mars, Grand Quartier General, Port-au-Prince, Haiti
- **Email:** infodefense@md.gouv.ht
- **Phone:** (509) 28103420
- **Social:** Facebook, Twitter, YouTube

### 8. Military Leadership Names (from posts)
- **Current Minister of Defense:** Jean-Michel MOISE (installed Nov 19, 2024)
- **Previous Minister of Defense:** Jean Marc Berthier ANTOINE
- **Director General:** Me Jean Ronel SISTANIS (installed July 29, 2024)
- **Commander in Chief a.i. FAd'H:** Lieutenant-General Derby GUERRIER (installed Aug 2024)
- **Previous Commander in Chief:** Lieutenant-General Jodel LESAGE
- **Interior Minister:** Paul Antoine BIEN-AIME (performed installation)
- **341 new soldiers** nominated by Minister Moise (Feb 2026)
- **Goal: 20,000 military trained** over 5 years (4,000/year)

### 9. Diplomatic Activity (from posts)
- Meeting with **French Ambassador** (Dec 2024)
- Meeting with **US Charge d'Affaires from Mexico** (Dec 2024)
- Meeting with **Taiwan (ROC) Ambassador** (Nov 2024)
- Participation in **16th Conference of Defense Ministers of the Americas (CMDA)** in Washington (Oct 2024)
- Visit to **Inter-American Defense Board (JID)** headquarters (Oct 2024)

### 10. XML-RPC Enabled
`/xmlrpc.php` responds with "XML-RPC server accepts POST requests only" -- this is a known attack vector for brute-force and amplification attacks.

### 11. Application Passwords Endpoint
Authorization endpoint exposed at:
```
https://md.gouv.ht/wp-admin/authorize-application.php
```

### 12. 8 Duplicate Video Files
8 identical video files named Visite-1.mp4 through Visite-7.mp4 (plus Visite.mp4), all exactly 9,433,212 bytes (9MB each), all 50 seconds long. Likely the same video uploaded multiple times.

### 13. WhatsApp Image Metadata
Many images are named with WhatsApp export patterns (e.g., "WhatsApp Image 2024-11-28 at 08.19.55"), suggesting content is shared via WhatsApp before upload. Original EXIF data may be present.

### 14. Placeholder/Incomplete Content
- FAQ page has lorem ipsum placeholder text
- "A propos" page has "Click edit button to change this text" placeholder
- "Cabinet du ministre" page has placeholder member entries (Mr v, Mr G, Mme V, etc.)
- Site appears partially built/maintained

---

## ACCESS CONTROL SUMMARY

| Endpoint | Status |
|----------|--------|
| Posts, Pages, Media, Users, Categories, Tags | **OPEN** |
| Comments, Search, Navigation, Types, Statuses, Taxonomies | **OPEN** |
| Popups, OEmbed, Sitemaps | **OPEN** |
| Themes, Plugins, Settings, Menus, Sidebars, Widgets | LOCKED (401) |
| iThemes Security (all endpoints) | LOCKED (401) |
| Code Snippets list | LOCKED (401) |
| Brave Popup data | LOCKED (401) |
| Elementor globals | Redirects to HTML (broken) |
| Menu Items | LOCKED (401) |
| Block Types, Block Patterns | LOCKED (401) |
| wp-content/ | BLOCKED (403) |
| wp-content/uploads/ | BLOCKED (403) |
| wp-content/plugins/ | BLOCKED (403 -- empty) |
| wp-content/themes/ | BLOCKED (403 -- empty) |
| readme.html | BLOCKED (403) |
| wp-login.php | Empty response (possibly hidden/renamed) |
| XML-RPC | **ENABLED** |

---

## FILES DUMPED

### Core API Dumps
- `api-root.json` -- Full API root with 375 routes (528KB)
- `posts-p1.json` -- All 22 posts (195KB)
- `pages-p1.json` -- All 20 pages (259KB)
- `media-p1.json` + `media-p2.json` -- All 168 media items (1.06MB combined)
- `media-ALL.json` -- Combined media (all 168 items)
- `media-urls.txt` -- All media URLs with MIME types
- `categories.json` -- 6 categories
- `tags.json` -- 5 tags
- `users.json` -- 2 users with Gravatar hashes
- `comments-p1.json` -- 1 comment
- `search.json` -- 45 search results
- `types.json` -- 14 content types
- `statuses.json` -- Statuses
- `taxonomies.json` -- 4 taxonomies
- `navigation.json` -- Navigation menu with all page links

### Sitemaps
- `wp-sitemap.xml` -- Main sitemap index
- `wp-sitemap-posts-post-1.xml` -- Post URLs
- `wp-sitemap-posts-page-1.xml` -- Page URLs
- `wp-sitemap-taxonomies-category-1.xml` -- Category URLs
- `wp-sitemap-taxonomies-post_tag-1.xml` -- Tag URLs
- `wp-sitemap-users-1.xml` -- User/author URLs

### Namespace Discovery
- `ithemes-security.json` -- iThemes Security routes
- `elementor.json` -- Elementor routes
- `forminator.json` -- Forminator routes
- `code-snippets.json` -- Code Snippets routes
- `brave.json` -- Brave Popup routes
- `astra.json` / `astra-routes.json` -- Astra theme routes
- `hub-connector.json` -- WPMU DEV Hub routes

### Additional
- `robots.txt` -- Robots directives
- `license.txt` -- WordPress GPL license
- `oembed-home.json` -- OEmbed data for homepage
- `popups.json` -- 1 popup configuration
- `user-1.json` through `user-10.json` -- User enumeration
- `xmlrpc.txt` -- XML-RPC status
- All response headers saved as `*-headers.txt`

---

## RECOMMENDED NEXT STEPS

1. **Download all 19 PDFs** -- Military recruitment/personnel lists with full names
2. **Gravatar email reverse lookup** -- Resolve the two SHA256 hashes to email addresses
3. **WhatsApp image EXIF analysis** -- Check JPEGs for GPS/device metadata
4. **XML-RPC enumeration** -- Test for username brute-force via `system.multicall`
5. **Forminator form analysis** -- Check for form submission endpoints
6. **Video analysis** -- Download and check the 8 MP4 files for metadata
7. **Historical snapshots** -- Check Wayback Machine for older versions of the site
8. **Subdomain enumeration** -- Check for other *.md.gouv.ht or *.gouv.ht services