ODINT
← Back to Cyber Tours

Executive Branch

Summary

Scope: Presidency and Executive Branch public-facing web infrastructure Method: Passive reconnaissance only (HTTP requests, publicly accessible endpoints)

Table of Contents

  1. Cross-Domain Summary & Severity Rankings
  2. Shared Infrastructure Analysis
  3. Domain 1: presidencia.gob.ec
  4. Domain 2: vicepresidencia.gob.ec
  5. Domain 3: comunicacion.gob.ec
  6. Domain 4: planificacion.gob.ec
  7. Domain 5: secretariajuridica.gob.ec
  8. Government GitLab (minka.gob.ec) -- Source Code Exposure
  9. Appendix: Plugin Version Matrix

Cross-Domain Summary & Severity Rankings

CRITICAL

# Finding Domain(s) Description
C1 Oraculo Plugin -- Hardcoded Credentials in Public Source ALL (Sitio-32 theme) The oraculo.php plugin bundled with the government theme contains hardcoded salt ALRTOPER984TNMGDGFDH and password SNAPsitio30v. Source code publicly accessible on minka.gob.ec GitLab.
C2 Oraculo Plugin -- SQL Injection ALL (Sitio-32 theme) Direct $_REQUEST parameters used in SQL queries with only addslashes() protection. Multiple injection points in image header and banner management functions.
C3 Oraculo Plugin -- File Upload Without Validation ALL (Sitio-32 theme) File uploads validated only by extension check via strrpos(). No MIME type validation, no content inspection. Predictable upload paths.
C4 raw.php -- Unauthenticated Data Extraction presidencia.gob.ec (confirmed, 500 error) Theme file raw.php accepts date range parameters via $_REQUEST, queries all posts, and outputs raw print_r() data. No authentication, no nonce verification, no input sanitization.
C5 Government Theme Source Code Publicly Exposed minka.gob.ec Complete Sitio-32 theme source (including oraculo plugin, functions.php, all templates) publicly accessible on Ecuador's government GitLab at minka.gob.ec/Quinaluisa/traduccion/.

HIGH

# Finding Domain(s) Description
H1 WordPress User Enumeration -- Open comunicacion.gob.ec
24 Comunicacion Digital comunicacion-digital
20 Direccion de Comunicacion Digital de Gobierno y Cobertura simon-feijoo

The simon-feijoo slug under the "Direccion de Comunicacion Digital" display name reveals a real person's name (Simon Feijoo) managing government digital communications.

robots.txt Misconfiguration

The robots.txt has an empty Disallow: directive, meaning it explicitly allows ALL crawling of the entire site, including wp-admin paths. This is likely unintentional.

REST API Namespaces

wp/v2, oembed/1.0, yoast/v1, sweep/v1, ea11y/v1,
google-site-kit/v1

Yoast SEO API Exposure

The /wp-json/yoast/v1/get_head endpoint returns:

  • Yoast SEO version: 27.0
  • Organization schema data
  • Social media handles: @comunicacionec (X/Twitter), ComunicacionEcuador (Facebook)
  • Logo URL: /wp-content/uploads/2023/11/Logo.svg

Security Posture

  • Good: No .env/.git exposed, no debug.log
  • CRITICAL: User enumeration wide open, XML-RPC enabled (405 = accepts POST), robots.txt allows all crawling
  • Bad: Full REST API accessible, plugin readmes expose versions, no security headers, author sitemap exposes usernames

Domain 4: planificacion.gob.ec

Status: UNREACHABLE (TLS Error) URL: https://www.planificacion.gob.ec Organization: Secretaria Nacional de la Administracion Publica y Planificacion

Findings

  • HTTPS: Fails with "self signed certificate in certificate chain"
  • HTTP: Also fails (connection refused or redirects to broken HTTPS)
  • With www: Self-signed cert error
  • Without www: ECONNREFUSED

The domain exists and is referenced in government portals (gob.ec/snp) and CEPAL planning observatory, but the web server has a broken TLS configuration. A subdomain planificacion.presidencia.gob.ec was also found in search results, suggesting the site may have been consolidated under the presidency domain.

Security Assessment

  • MEDIUM: Self-signed certificate in production. Users accessing this site must bypass browser security warnings, which normalizes ignoring TLS errors -- a social engineering risk.

Domain 5: secretariajuridica.gob.ec

Status: OFFLINE / UNREACHABLE URL: https://www.secretariajuridica.gob.ec Organization: Legal Secretariat of Ecuador

Findings

  • HTTPS with www: ECONNREFUSED
  • HTTPS without www: ECONNREFUSED
  • HTTP with www: Connection error ("Was there a typo in the url or port?")
  • HTTP without www: Connection error

The domain appears completely offline. No DNS resolution or web server is responding. Web searches return no current results for this domain. The Legal Secretariat may have been reorganized or its web presence consolidated into another portal.

Security Assessment

  • LOW: Domain is simply not operational. No attack surface exists.

Government GitLab: minka.gob.ec

Discovery

The subdomain minka.presidencia.gob.ec (found in presidencia homepage source) and the domain minka.gob.ec host Ecuador's government GitLab instance.

Key Finding: Sitio-32 Theme Source Code Exposed

Repository: minka.gob.ec/Quinaluisa/traduccion Path: SOURCE/themes/Sitio-32/ Commit: 536849a1a1d9a8ff67f02f0b95a1f7511bdeb2fc Access: Public (no authentication required)

The repository contains the complete source code of the government WordPress theme, including:

Theme Structure (78 items: 15 directories + 63 files)

  • oraculo/ -- Centralized content management plugin
  • plugins/ -- Bundled plugins (banner-ads-rotator, oraculo)
  • ajax/, inc/, js/, css/ -- Core theme assets
  • functions.php -- Theme initialization with XSS vulnerabilities
  • raw.php -- Unauthenticated data extraction endpoint
  • test.php -- PHP unserialization test file
  • front-page.php.bck -- Backup file left in production
  • storeit.txt -- Binary/encoded data file

oraculo.php -- Critical Vulnerabilities

Hardcoded salt: "ALRTOPER984TNMGDGFDH"
Hardcoded password: "SNAPsitio30v"
  • SQL injection via $_REQUEST parameters in image header queries
  • File uploads with extension-only validation
  • Admin functions without capability checks or nonce verification
  • Deprecated mcrypt_* encryption functions
  • Direct MySQLi queries without prepared statements

raw.php -- Unauthenticated WP_Query

Accepts date1 and date2 via $_REQUEST, queries all posts in range, outputs raw print_r(). No authentication, no nonce, no input sanitization.

functions.php -- XSS Vectors

  • compartir() function outputs unsanitized get_the_title() and get_the_excerpt() in JavaScript strings
  • Multiple echo statements without esc_attr(), esc_url(), or wp_kses_post()
  • HTTP (not HTTPS) Google Fonts loading

Other Public Repositories on minka.gob.ec

Project Namespace Description Last Activity
firmadigital-libreria mintel/ge/firmaec Digital signature core library 2026-03-03
firmadigital-api mintel/ge/firmaec FirmaEC API service 2026-03-02
firmadigital-servicio mintel/ge/firmaec FirmaEC communication service 2026-03-02

The FirmaEC repositories handle Ecuador's national digital signature infrastructure, suggesting minka.gob.ec is used for critical government code.

Appendix: Plugin Version Matrix

Plugin presidencia vicepresidencia comunicacion Source
WordPress 6.9 (inferred) 6.9 (inferred) 6.9 (confirmed) Homepage source / emoji script
Wordfence 8.1.3 8.1.3 8.1.3 readme.txt
W3 Total Cache 2.8.15 2.8.15 2.8.15 readme.txt
Kadence Blocks 3.5.29 present (unversioned) not detected readme.txt
Download Monitor 3.3.5.9 present present readme.txt
Yoast SEO not detected not detected 27.0 readme.txt / API
PromoSlider 3.3.1 3.3.1 3.3.4 JS inline config
Google Site Kit present present present wp-json namespace
MailerLite present not detected not detected wp-json namespace
GetResponse present not detected not detected wp-json namespace
FluentCRM present not detected not detected wp-json namespace
Sweep present present present wp-json namespace
ea11y (Accessibility) not detected not detected present wp-json namespace
Sitio-32 Theme v3.2 v3.2 v3.2 style.css header
Oraculo (bundled) present present present Theme source on GitLab

Google Analytics IDs

Domain GA4 Measurement ID Developer ID
presidencia.gob.ec G-19RMBSD1QR dZTNiMT
vicepresidencia.gob.ec G-F93YP3SE1D --
comunicacion.gob.ec G-934XJFJX0K dZTNiMT

Key Takeaways

  1. Centralized but Vulnerable: Ecuador runs a standardized government WordPress platform (Sitio-32) across executive branch sites. This means a vulnerability in the shared theme or oraculo plugin affects ALL government sites simultaneously.

  2. Source Code Exposed: The complete theme source code, including hardcoded credentials, is publicly accessible on the government's own GitLab instance (minka.gob.ec).

  3. Inconsistent Security: presidencia.gob.ec and vicepresidencia.gob.ec have user enumeration properly blocked (likely Wordfence), but comunicacion.gob.ec does not -- suggesting per-site configuration rather than centralized policy.

  4. XML-RPC + User Enumeration = Brute Force Risk: comunicacion.gob.ec has both user enumeration (3 known usernames) and XML-RPC enabled, creating a direct brute-force attack path.

  5. Legacy Code Debt: The oraculo plugin uses deprecated PHP functions (mcrypt), direct SQL queries, and patterns from 2015-era WordPress development. It has not been modernized.

  6. No Security Headers: None of the three active domains implement modern security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).

  7. Two Domains Unreachable: planificacion.gob.ec has a broken TLS certificate and secretariajuridica.gob.ec is completely offline, suggesting infrastructure neglect.

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms