{
  "claim_outcome": "not_confirmed",
  "claim_block_reason": "no_bypass_found: the 4.2.4/4.2.5 closed-default trust gate (G1) blocks every contributor payload from reaching eval(); all widgetopts_safe_eval_trusted() call sites consume admin-controlled/DB-backed input; no materially distinct contributor-reachable path to eval() exists on the fixed or latest version",
  "variant_kind": "bypass_attempt",
  "variant_result": "no_bypass",
  "validated_surface": "api_remote",
  "evidence_scope": "static_harness_against_real_extracted_source",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "none_on_fixed_code_execution_only_on_vuln",
  "exploitability_confidence": "high_on_vulnerable_none_on_fixed",
  "attacker_controlled_input": "Display Logic PHP expression (block-renderer REST attributes.class.logic) and freeform <!--start_widgetopts--> comment JSON, supplied by an authenticated Contributor",
  "trigger_path": "Contributor -> REST block-renderer / saved freeform comment -> render_block -> blockopts_filter_before_display -> widgetopts_safe_eval[_trusted] -> eval()",
  "end_to_end_target_reached": false,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": "G1 closed-default trust gate (widgetopts_safe_eval: non-admin && !widgetopts_eval_is_trusted() => return true before eval/validator); G2 token validator now blocks '}'/T_FUNCTION/T_FN before '('; G3 render_block_data sha256 allowlist scoped to /wp/v2/block-renderer/ via rest_pre_dispatch; G4 wp_insert_post_data + rest_request_before_callbacks stripper for parsed attrs + freeform comments; G5 preview guard for non-admins",
  "variants_tested": [
    {"id": "A_original_cve", "vuln_4.2.3": "reached_eval", "fixed_4.2.4": "blocked_G1", "latest_4.2.5": "blocked_G1"},
    {"id": "B_stripslashes_diff", "vuln_4.2.3": "reached_eval", "fixed_4.2.4": "blocked_G1", "latest_4.2.5": "blocked_G1"},
    {"id": "D_brace_var_call", "vuln_4.2.3": "reached_eval", "fixed_4.2.4": "blocked_G1_and_G2", "latest_4.2.5": "blocked_G1_and_G2"},
    {"id": "E_concat_callable", "vuln_4.2.3": "rejected_by_validator", "fixed_4.2.4": "blocked_G1", "latest_4.2.5": "blocked_G1"},
    {"id": "F_freeform_comment", "vuln_4.2.3": "stripped_at_save_G4", "fixed_4.2.4": "stripped_at_save_G4_not_reachable_via_block_renderer_preview_G5", "latest_4.2.5": "stripped_at_save_G4_not_reachable_via_block_renderer_preview_G5"}
  ],
  "capability_audited_paths_ruled_out": [
    "snippets CPT (widgetopts_snippet): admin-only, manage_options required to create/edit (class-snippets-cpt.php:76-86)",
    "classic widgets (display.php:586): edit_theme_options/admin-controlled widget options",
    "elementor/render.php:391, beaver/beaver.php:930, siteorigin.php:55: page-builder edit access = admin/editor"
  ],
  "fixed_version_identity": {"version": "4.2.4", "extras_php_identical_to_latest": true},
  "latest_version_identity": {"version": "4.2.5", "extras_php_identical_to_fixed": true, "changelog": "WP 7.0 compat bump only"},
  "inferred": false,
  "notes": "Negative variant result. Fewer than 3 distinct BYPASS candidates exist because G1 is input-agnostic (blocks every payload shape for a contributor). The only theoretical bypass class (trust flag set with contributor-controlled input) has no realisation: all 6 widgetopts_safe_eval_trusted() call sites consume admin-controlled/DB-backed input. Reproduction script exits 1 (NO_BYPASS); ran twice idempotently."
}
