379Pages Extracted
504Posts Extracted
2,059Media Items (with download URLs)
3Users Enumerated
13.4 MBTotal Data
Three Pakistani organizations expose their complete WordPress REST API without authentication. The API endpoints at /wp-json/wp/v2/* yield all pages, posts, media items with direct download URLs, user accounts, categories, and tags — no credentials required.
Target 1: QAU.EDU.PK — Quaid-i-Azam University
Pakistan's #1 ranked university (QS World Rankings)
| Field | Value |
|---|
| Server | nginx/1.14.1 (current: 1.27.x — 7 years old) |
| CMS | WordPress |
| API Schema | 306 KB (full) |
| User Enumeration | Blocked (403 on /wp-json/wp/v2/users) |
| Endpoint | Records | Size |
|---|
| Pages | 200 | 2.4 MB |
| Posts | 484 | 1.4 MB |
| Media | 603 items | 200 KB metadata |
| Categories | 164 | 179 KB |
| Tags | 13 | 12 KB |
| Search (43 terms) | 1,545+ results | 1.2 MB |
| Total | — | 6.6 MB |
Additional Exposed Endpoints (Beyond API)
| Path | Size | Exposure |
|---|
| /webmail/ | 4.9 KB | Roundcube Webmail login — @qau.edu.pk accounts |
| /phpmyadmin/ | redirect | phpMyAdmin confirmed on server |
| /admin/ | 94 KB | Administration section (public access) |
| /intercom-directory/ | 92 KB | 71 KB PDF — complete university phone directory |
| /faculty/ | 110 KB | Faculty/employee directory |
| /downloads/ | 121 KB | Downloadable documents |
Risk Assessment — CRITICAL: Full WordPress API + Roundcube webmail + phpMyAdmin + outdated nginx/1.14.1 = high-value target for credential attacks and potential webshell deployment via phpMyAdmin.
Search Intelligence (43 keyword probes)
| Search Term | Results | Intelligence Value |
|---|
| faculty | 100 | Faculty member profiles, appointments |
| professor | 100 | Individual professor data |
| staff | 84 | Staff directories by section |
| admission | 77 | Admission notices, merit lists |
| fee | 90 | Fee structures per program |
| scholarship | 57 | Financial aid programs |
| security | 65 | Campus security operations, CCTV references |
| salary | 3 | Salary section staff details |
Target 2: BALOCHISTAN.GOV.PK — Government of Balochistan
Provincial government — the only remaining live provincial .gov.pk portal during wartime
| Field | Value |
|---|
| Server | Cloudflare (origin unknown) |
| CMS | WordPress + Elementor |
| User Enumeration | EXPOSED — 1 user found |
WordPress Users Enumerated
| ID | Username | Gravatar Hash |
|---|
| 4 | admin_bal | 49d835e800b2f8de9d230f39d1718274e0364b4aff0a72de4bd274d82dbbf38b |
| Endpoint | Records | Size |
|---|
| Pages | 149 | 1.0 MB |
| Posts | 12 | 58 KB |
| Media | 1,297 items | 4.6 MB metadata (with direct download URLs) |
| Users | 1 | 917 bytes |
| API Schema | 1 | 235 KB |
| Total | — | 5.9 MB |
Government content exposed via API: Divisional commissioner appointments, Gwadar Safe City project staffing, budget documents 2020–2026 (PSDP, White Papers, Volumes I–VIII), departmental legislation for 14+ departments, citizen services portal URLs.
robots.txt: Blocks AI crawlers (ClaudeBot, GPTBot, CCBot, Bytespider) — but the WordPress REST API is completely unprotected.
Target 3: SIT.BALOCHISTAN.GOV.PK — Science & IT Department
Provincial IT department — shares administrator with balochistan.gov.pk
| ID | Username | Gravatar Hash |
|---|
| 1 | admin | 49d835e800b2f8de9d230f39d1718274e0364b4aff0a72de4bd274d82dbbf38b |
| 5 | sitbalochistango | 5170d034630581b7e24444f63ad4abc270f222516526d15787a6198ffe6229ac |
CRITICAL CORRELATION: User "admin" (ID 1) on sit.balochistan.gov.pk has the identical gravatar hash as admin_bal (ID 4) on balochistan.gov.pk. This confirms a single person administers both Balochistan government WordPress installations. /wp-login.php is directly accessible (8.3 KB) on the SIT domain.
Cross-Target Analysis: Single-Admin Vulnerability
balochistan.gov.pk → admin_bal (ID 4) → gravatar: 49d835e800b2f8...
sit.balochistan.gov.pk → admin (ID 1) → gravatar: 49d835e800b2f8...
↑ IDENTICAL HASH
Single email address = administrator of two provincial government sites.
Compromise one account = both sites fall.
WordPress Security Posture Comparison
| Feature | QAU | Balochistan | SIT Balochistan |
|---|
| API publicly accessible | YES | YES | YES |
| User enumeration | Blocked (403) | EXPOSED | EXPOSED |
| wp-login.php accessible | Unknown | Unknown | YES (8.3 KB) |
| Webmail accessible | YES (Roundcube) | No | No |
| phpMyAdmin | YES | No | No |
| Outdated server software | YES (nginx/1.14.1) | Unknown (Cloudflare) | Unknown (Cloudflare) |
Combined Extraction
| Category | Combined Total |
|---|
| Pages | 379 (200 + 149 + 30) |
| Posts | 504 (484 + 12 + 8) |
| Media items | 2,059 (603 + 1,297 + 159) |
| Users enumerated | 3 |
| API schemas | 788 KB |
| Total data | 13.4 MB |