{
  "variant_id": "CVE-2026-54823-wo-variant-blockrenderer-eval-family",
  "created_at": "2026-07-05T17:19:00Z",
  "variant_summary": "Variant/bypass analysis of the Widget Options 4.2.4 fix for CVE-2026-54823 (Contributor RCE via block-renderer REST -> widgetopts_safe_eval -> eval). Five runtime candidate variants (original payload, stripslashes-differential, ${'z'}() brace-call, array_map concat callable, freeform <!--start_widgetopts--> comment injection) plus four capability-audited admin-gated paths (snippets CPT, classic widgets, Elementor/Beaver/SiteOrigin) were analysed. NO bypass found: the 4.2.4 closed-default trust gate (G1) blocks every contributor payload from reaching eval regardless of shape, and all widgetopts_safe_eval_trusted() call sites consume admin-controlled/DB-backed input. 4.2.5 (latest) is byte-identical to 4.2.4 on the security surface. Variants A/B/D are alternate triggers of the same root cause on vulnerable 4.2.3 only.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "wordpress.org/plugin/widget-options (MarketingFire/Widget Options)",
  "submitted_target": {
    "target_kind": "wordpress_plugin_version",
    "version": "4.2.3",
    "ref": "widget-options 4.2.3 (vulnerable)",
    "display": "Widget Options 4.2.3 (vulnerable, parent CVE-2026-54823)"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin_version",
    "version": "4.2.5",
    "ref": "widget-options 4.2.5 (latest); 4.2.4 (fixed) identical on security surface",
    "display": "Widget Options 4.2.4 (fixed) / 4.2.5 (latest) — fix under test",
    "commit_sha": "4.2.5"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "POST/GET /wp-json/wp/v2/block-renderer/<block> (WordPress REST block-renderer) and saved post_content freeform <!--start_widgetopts--> comments, all reaching widgetopts_safe_eval()->eval() via the Display Logic module",
  "attacker_controlled_input": "Display Logic PHP expression in extended_widget_opts_block.class.logic (block-renderer REST attributes) and freeform <!--start_widgetopts--> comment JSON (post_content), supplied by an authenticated Contributor",
  "trigger_path": "Contributor -> REST block-renderer attributes.class.logic (or saved freeform comment) -> render_block filter -> blockopts_filter_before_display -> widgetopts_safe_eval[_trusted] -> eval()",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high_on_vuln_none_on_fixed",
  "evidence_scope": "static_harness_against_real_extracted_source",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "no_bypass_found: 4.2.4 closed-default trust gate (G1) blocks every contributor payload from reaching eval; all trust-flag call sites consume admin-controlled input; 4.2.5 identical to 4.2.4 on security surface",
  "blocking_mitigation": "G1 closed-default trust gate (widgetopts_safe_eval returns true for non-admin outside widgetopts_safe_eval_trusted); G2 token validator blocks }/T_FUNCTION/T_FN before '('; G3 render_block_data sha256 allowlist scoped to block-renderer route; G4 wp_insert_post_data + rest_request_before_callbacks stripper (parsed attrs + freeform comments); G5 preview guard",
  "file_path": "includes/extras.php",
  "line_start": 707,
  "line_end": 730,
  "secondary_anchors": [
    {"file_path": "includes/widgets/gutenberg/gutenberg-toolbar.php", "line_start": 429, "line_end": 470},
    {"file_path": "includes/widgets/gutenberg/gutenberg-toolbar.php", "line_start": 306, "line_end": 367},
    {"file_path": "includes/widgets/gutenberg/gutenberg-toolbar.php", "line_start": 377, "line_end": 410},
    {"file_path": "includes/extras.php", "line_start": 1077, "line_end": 1158},
    {"file_path": "includes/extras.php", "line_start": 679, "line_end": 705},
    {"file_path": "includes/snippets/class-snippets-cpt.php", "line_start": 76, "line_end": 86}
  ],
  "review_scope_paths": [
    "includes/extras.php",
    "includes/widgets/gutenberg/gutenberg-toolbar.php",
    "includes/widgets/display.php",
    "includes/snippets/class-snippets-cpt.php",
    "includes/snippets/class-snippets-api.php",
    "includes/pagebuilders/elementor/render.php",
    "includes/pagebuilders/beaver/beaver.php",
    "includes/pagebuilders/siteorigin.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/variant_summary.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/variant_harness.php"
    ]
  }
}
