{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "POST/GET /wp-json/wp/v2/block-renderer/<block> (attributes.extended_widget_opts_block.class.logic) and saved post_content freeform <!--start_widgetopts--> comments, reaching widgetopts_safe_eval()->eval()",
  "runtime_kind": "static_harness_against_real_extracted_source",
  "service_started": false,
  "healthcheck_passed": true,
  "target_path_reached": false,
  "runtime_stack": ["php-cli", "token_get_all function extractor", "widget-options 4.2.3/4.2.4/4.2.5 extracted sources"],
  "proof_artifacts": [
    "logs/vuln_variant/variant_summary.log",
    "logs/vuln_variant/harness_4.2.3.log",
    "logs/vuln_variant/harness_4.2.4.log",
    "logs/vuln_variant/harness_4.2.5.log",
    "logs/vuln_variant/bypass_flag.txt"
  ],
  "method": "A PHP harness (bundle/vuln_variant/variant_harness.php) token-extracts the REAL widgetopts_safe_eval/widgetopts_validate_expression/widgetopts_validate_code_with_tokens/widgetopts_strip_logic_from_blocks from each version's extras.php/gutenberg-toolbar.php, stubs minimal WordPress functions, simulates a Contributor (current_user_can('manage_options')=false, non-preview, no trust flag), and uses a parse-error probe to distinguish 'G1 blocked (eval never reached, returns true)' from 'eval reached (Throwable caught, returns false)'. No live WordPress/REST server is started; the eval sink reachability is determined from the real extracted code semantics.",
  "verdict": "NO_BYPASS — eval_reached_for_contributor=True on 4.2.3, False on 4.2.4 and 4.2.5",
  "notes": "End-to-end live confirmation that the original CVE payload is blocked on the fixed 4.2.4 build is provided by the parent reproduction (bundle/repro/ logs/exploit_fixed.log: PHP_PROOF_EXISTS False, TMP_PROOF_EXISTS False). This variant stage adds static-harness coverage of alternate payload shapes and data paths against the real fixed/latest source."
}
