Scope: Presidency and Executive Branch public-facing web infrastructure Method: Passive reconnaissance only (HTTP requests, publicly accessible endpoints)
| # | Finding | Domain(s) | Description |
|---|---|---|---|
| C1 | Oraculo Plugin -- Hardcoded Credentials in Public Source | ALL (Sitio-32 theme) | The oraculo.php plugin bundled with the government theme contains hardcoded salt ALRTOPER984TNMGDGFDH and password SNAPsitio30v. Source code publicly accessible on minka.gob.ec GitLab. |
| C2 | Oraculo Plugin -- SQL Injection | ALL (Sitio-32 theme) | Direct $_REQUEST parameters used in SQL queries with only addslashes() protection. Multiple injection points in image header and banner management functions. |
| C3 | Oraculo Plugin -- File Upload Without Validation | ALL (Sitio-32 theme) | File uploads validated only by extension check via strrpos(). No MIME type validation, no content inspection. Predictable upload paths. |
| C4 | raw.php -- Unauthenticated Data Extraction | presidencia.gob.ec (confirmed, 500 error) | Theme file raw.php accepts date range parameters via $_REQUEST, queries all posts, and outputs raw print_r() data. No authentication, no nonce verification, no input sanitization. |
| C5 | Government Theme Source Code Publicly Exposed | minka.gob.ec | Complete Sitio-32 theme source (including oraculo plugin, functions.php, all templates) publicly accessible on Ecuador's government GitLab at minka.gob.ec/Quinaluisa/traduccion/. |
| # | Finding | Domain(s) | Description |
|---|---|---|---|
| H1 | WordPress User Enumeration -- Open | comunicacion.gob.ec | |
| 24 | Comunicacion Digital | comunicacion-digital | |
| 20 | Direccion de Comunicacion Digital de Gobierno y Cobertura | simon-feijoo |
The simon-feijoo slug under the "Direccion de Comunicacion Digital" display name reveals a real person's name (Simon Feijoo) managing government digital communications.
The robots.txt has an empty Disallow: directive, meaning it explicitly allows ALL crawling of the entire site, including wp-admin paths. This is likely unintentional.
wp/v2, oembed/1.0, yoast/v1, sweep/v1, ea11y/v1,
google-site-kit/v1
The /wp-json/yoast/v1/get_head endpoint returns:
@comunicacionec (X/Twitter), ComunicacionEcuador (Facebook)/wp-content/uploads/2023/11/Logo.svgStatus: UNREACHABLE (TLS Error)
URL: https://www.planificacion.gob.ec
Organization: Secretaria Nacional de la Administracion Publica y Planificacion
The domain exists and is referenced in government portals (gob.ec/snp) and CEPAL planning observatory, but the web server has a broken TLS configuration. A subdomain planificacion.presidencia.gob.ec was also found in search results, suggesting the site may have been consolidated under the presidency domain.
Status: OFFLINE / UNREACHABLE
URL: https://www.secretariajuridica.gob.ec
Organization: Legal Secretariat of Ecuador
The domain appears completely offline. No DNS resolution or web server is responding. Web searches return no current results for this domain. The Legal Secretariat may have been reorganized or its web presence consolidated into another portal.
The subdomain minka.presidencia.gob.ec (found in presidencia homepage source) and the domain minka.gob.ec host Ecuador's government GitLab instance.
Repository: minka.gob.ec/Quinaluisa/traduccion
Path: SOURCE/themes/Sitio-32/
Commit: 536849a1a1d9a8ff67f02f0b95a1f7511bdeb2fc
Access: Public (no authentication required)
The repository contains the complete source code of the government WordPress theme, including:
oraculo/ -- Centralized content management pluginplugins/ -- Bundled plugins (banner-ads-rotator, oraculo)ajax/, inc/, js/, css/ -- Core theme assetsfunctions.php -- Theme initialization with XSS vulnerabilitiesraw.php -- Unauthenticated data extraction endpointtest.php -- PHP unserialization test filefront-page.php.bck -- Backup file left in productionstoreit.txt -- Binary/encoded data fileHardcoded salt: "ALRTOPER984TNMGDGFDH"
Hardcoded password: "SNAPsitio30v"
$_REQUEST parameters in image header queriesmcrypt_* encryption functionsAccepts date1 and date2 via $_REQUEST, queries all posts in range, outputs raw print_r(). No authentication, no nonce, no input sanitization.
compartir() function outputs unsanitized get_the_title() and get_the_excerpt() in JavaScript stringsecho statements without esc_attr(), esc_url(), or wp_kses_post()| Project | Namespace | Description | Last Activity |
|---|---|---|---|
| firmadigital-libreria | mintel/ge/firmaec | Digital signature core library | 2026-03-03 |
| firmadigital-api | mintel/ge/firmaec | FirmaEC API service | 2026-03-02 |
| firmadigital-servicio | mintel/ge/firmaec | FirmaEC communication service | 2026-03-02 |
The FirmaEC repositories handle Ecuador's national digital signature infrastructure, suggesting minka.gob.ec is used for critical government code.
| Plugin | presidencia | vicepresidencia | comunicacion | Source |
|---|---|---|---|---|
| WordPress | 6.9 (inferred) | 6.9 (inferred) | 6.9 (confirmed) | Homepage source / emoji script |
| Wordfence | 8.1.3 | 8.1.3 | 8.1.3 | readme.txt |
| W3 Total Cache | 2.8.15 | 2.8.15 | 2.8.15 | readme.txt |
| Kadence Blocks | 3.5.29 | present (unversioned) | not detected | readme.txt |
| Download Monitor | 3.3.5.9 | present | present | readme.txt |
| Yoast SEO | not detected | not detected | 27.0 | readme.txt / API |
| PromoSlider | 3.3.1 | 3.3.1 | 3.3.4 | JS inline config |
| Google Site Kit | present | present | present | wp-json namespace |
| MailerLite | present | not detected | not detected | wp-json namespace |
| GetResponse | present | not detected | not detected | wp-json namespace |
| FluentCRM | present | not detected | not detected | wp-json namespace |
| Sweep | present | present | present | wp-json namespace |
| ea11y (Accessibility) | not detected | not detected | present | wp-json namespace |
| Sitio-32 Theme | v3.2 | v3.2 | v3.2 | style.css header |
| Oraculo (bundled) | present | present | present | Theme source on GitLab |
| Domain | GA4 Measurement ID | Developer ID |
|---|---|---|
| presidencia.gob.ec | G-19RMBSD1QR | dZTNiMT |
| vicepresidencia.gob.ec | G-F93YP3SE1D | -- |
| comunicacion.gob.ec | G-934XJFJX0K | dZTNiMT |
Centralized but Vulnerable: Ecuador runs a standardized government WordPress platform (Sitio-32) across executive branch sites. This means a vulnerability in the shared theme or oraculo plugin affects ALL government sites simultaneously.
Source Code Exposed: The complete theme source code, including hardcoded credentials, is publicly accessible on the government's own GitLab instance (minka.gob.ec).
Inconsistent Security: presidencia.gob.ec and vicepresidencia.gob.ec have user enumeration properly blocked (likely Wordfence), but comunicacion.gob.ec does not -- suggesting per-site configuration rather than centralized policy.
XML-RPC + User Enumeration = Brute Force Risk: comunicacion.gob.ec has both user enumeration (3 known usernames) and XML-RPC enabled, creating a direct brute-force attack path.
Legacy Code Debt: The oraculo plugin uses deprecated PHP functions (mcrypt), direct SQL queries, and patterns from 2015-era WordPress development. It has not been modernized.
No Security Headers: None of the three active domains implement modern security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
Two Domains Unreachable: planificacion.gob.ec has a broken TLS certificate and secretariajuridica.gob.ec is completely offline, suggesting infrastructure neglect.