{
  "repository": "wordpress.org/plugin/widget-options (MarketingFire/Widget Options)",
  "commit_source": "release_tag_resolution",
  "commit_sha": "4.2.5",
  "submitted_target": {
    "target_kind": "wordpress_plugin_version",
    "version": "4.2.3",
    "ref": "widget-options 4.2.3 (vulnerable, parent CVE-2026-54823)",
    "display": "Widget Options 4.2.3"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin_version",
    "version": "4.2.5",
    "ref": "widget-options 4.2.5 (latest); 4.2.4 (fixed) byte-identical on security surface",
    "display": "Widget Options 4.2.4 (fixed) / 4.2.5 (latest)",
    "commit_sha": "4.2.5"
  },
  "tested_versions": [
    {"version": "4.2.3", "role": "vulnerable", "source": "bundle/artifacts/wo-versions/ext-4.2.3/widget-options", "widgetopts_version_constant": "4.2.3"},
    {"version": "4.2.4", "role": "fixed", "source": "bundle/artifacts/wo-versions/ext-4.2.4/widget-options", "widgetopts_version_constant": "4.2.4", "extras_php_identical_to_4.2.5": true},
    {"version": "4.2.5", "role": "latest", "source": "bundle/artifacts/wo-versions/ext-4.2.5/widget-options", "widgetopts_version_constant": "4.2.5", "extras_php_identical_to_4.2.4": true, "changelog": "Improved: Updated and tested for WordPress version 7.0 (no security change)"}
  ],
  "resolution_method": "Distribution zips from downloads.wordpress.org/plugin/widget-options.<ver>.zip, extracted under bundle/artifacts/wo-versions/ext-<ver>/. Version constants read from plugin.php (WIDGETOPTS_VERSION). Byte-identity of 4.2.4 vs 4.2.5 security surface confirmed via cmp on includes/extras.php and includes/widgets/gutenberg/gutenberg-toolbar.php. No upstream git history available (plugin distributed as release zips, advisory shipped no commit hash).",
  "notes": "Negative variant result (no bypass confirmed). source_identity recorded for traceability of the exact tested fixed/latest revisions even though no distinct variant/bypass was confirmed. The 4.2.4 analysis covers the current 4.2.5 release because the security surface is byte-identical."
}
