=== CVE-2026-57624 reproduction starting at Sun Jul 5 10:07:34 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Verifying Pro plugin version... Pro plugin: [+] Downloading wp-cli... [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Starting Docker stack... bundle/repro/reproduction_steps.sh: line 182: COMPOSE_CMD: unbound variable === CVE-2026-57624 reproduction starting at Sun Jul 5 10:08:22 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Verifying Pro plugin version... Pro plugin: [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Starting Docker stack... [+] Containers: vuln=45b9def678c6c1fb7adc36054a2d6ac8e866afd906aed888c4f987c485030b2b fixed=f9014b115e2f724663bf993d6edba98614fcadb831e2d3bb7a90473f7d0029d9 [+] Waiting for WordPress containers to be ready... NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS blocksycve-db-1 mariadb:10.11 "docker-entrypoint.s…" db 12 seconds ago Up 11 seconds (healthy) 3306/tcp blocksycve-wp_fixed-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_fixed 11 seconds ago Up Less than a second 0.0.0.0:28091->80/tcp, [::]:28091->80/tcp blocksycve-wp_vuln-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_vuln 11 seconds ago Up Less than a second 0.0.0.0:28090->80/tcp, [::]:28090->80/tcp [+] Resolved container names: vuln=blocksycve-wp_vuln-1 fixed=blocksycve-wp_fixed-1 [+] Container IPs: vuln=172.29.0.3 fixed=172.29.0.4 [+] Setting up blocksycve-wp_vuln-1 (url=http://172.29.0.3)... blocksy-companion-pro 2.1.48 [+] Setting up blocksycve-wp_fixed-1 (url=http://172.29.0.4)... blocksy-companion-pro 2.1.48 [+] Using external container IPs for unauthenticated requests. [+] Created content blocks: vuln id=5 fixed id=5 [+] Slugs: vuln=rce-test-block fixed=rce-test-block === Sending UNAUTHENTICATED request to VULNERABLE build === HTTP response saved to artifacts/http/vuln_response.html === Sending UNAUTHENTICATED request to FIXED build === HTTP response saved to artifacts/http/fixed_response.html === Verifying VULNERABLE build === RCE_CONFIRMED CMD_OUTPUT: uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data 45b9def678c6 Linux 45b9def678c6 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64 GNU/Linux Response command output: BLOCKSY_RCE_EXECUTED::uid=33(www-data) gid=33(www-data) groups=33(www-data) === Verifying FIXED build (negative control) === /tmp/rce_marker.txt Response marker count: 1 (expected 0) === RESULT === Vulnerable build RCE confirmed: 1 (1=yes) Fixed build blocked (negative control): 0 (1=yes) Plugin version (both): vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json [+] Reproduction complete. === WARNING: differential not fully confirmed (vuln=1 fixed=0) === === CVE-2026-57624 reproduction starting at Sun Jul 5 10:10:11 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Pro plugin present: /data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle/artifacts/blocksy-companion-pro-v2.1.48.zip [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Build sanity: fixed ct_allow_code_editor occurrences=1 (expect >=1), vuln occurrences=1 (expect 0) FAIL: vuln build still has guard === CVE-2026-57624 reproduction starting at Sun Jul 5 10:11:35 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Pro plugin present: /data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle/artifacts/blocksy-companion-pro-v2.1.48.zip [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Build sanity: fixed guard occurrences=0 (expect >=1), vuln guard occurrences=0 (expect 0) FAIL: fixed build missing guard === CVE-2026-57624 reproduction starting at Sun Jul 5 10:13:13 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Pro plugin present: /data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle/artifacts/blocksy-companion-pro-v2.1.48.zip [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Build sanity: fixed guard occurrences=1 (expect >=1), vuln guard occurrences=0 (expect 0) [+] Starting Docker stack... [+] Waiting for WordPress containers to be ready... NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS blocksycve-db-1 mariadb:10.11 "docker-entrypoint.s…" db 11 seconds ago Up 11 seconds (healthy) 3306/tcp blocksycve-wp_fixed-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_fixed 11 seconds ago Up Less than a second 0.0.0.0:28091->80/tcp, [::]:28091->80/tcp blocksycve-wp_vuln-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_vuln 11 seconds ago Up Less than a second 0.0.0.0:28090->80/tcp, [::]:28090->80/tcp [+] Resolved containers: vuln=blocksycve-wp_vuln-1 fixed=blocksycve-wp_fixed-1 [+] Container IPs: vuln=172.29.0.4 fixed=172.29.0.3 [+] Setting up blocksycve-wp_vuln-1 (url=http://172.29.0.4)... blocksy-companion-pro 2.1.48 [+] Setting up blocksycve-wp_fixed-1 (url=http://172.29.0.3)... blocksy-companion-pro 2.1.48 [+] Using external container IPs for unauthenticated requests. [+] Created content blocks: vuln id=5 fixed id=5 [+] Slugs: vuln=rce-test-block fixed=rce-test-block === Sending UNAUTHENTICATED request to VULNERABLE build === === Sending UNAUTHENTICATED request to FIXED build === === Verifying VULNERABLE build === RCE_CONFIRMED CMD_OUTPUT: uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data ae70ce7b550a Linux ae70ce7b550a 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64 GNU/Linux Response command output: BLOCKSY_RCE_EXECUTED::uid=33(www-data) gid=33(www-data) groups=33(www-data) === Verifying FIXED build (negative control) === ls: cannot access '/tmp/rce_marker.txt': No such file or directory NO_MARKER_FILE Response marker count: 0 0 (expected 0) === RESULT === Vulnerable build RCE confirmed: 1 (1=yes) Fixed build blocked (negative control): 0 (1=yes) Plugin version (both): vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json [+] Reproduction complete. === WARNING: differential not fully confirmed (vuln=1 fixed=0) === === CVE-2026-57624 reproduction starting at Sun Jul 5 10:14:57 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Pro plugin present: /data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle/artifacts/blocksy-companion-pro-v2.1.48.zip [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Build sanity: fixed guard occurrences=1 (expect >=1), vuln guard occurrences=0 (expect 0) [+] Starting Docker stack... [+] Waiting for WordPress containers to be ready... NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS blocksycve-db-1 mariadb:10.11 "docker-entrypoint.s…" db 11 seconds ago Up 11 seconds (healthy) 3306/tcp blocksycve-wp_fixed-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_fixed 11 seconds ago Up Less than a second 0.0.0.0:28091->80/tcp, [::]:28091->80/tcp blocksycve-wp_vuln-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_vuln 11 seconds ago Up Less than a second 0.0.0.0:28090->80/tcp, [::]:28090->80/tcp [+] Resolved containers: vuln=blocksycve-wp_vuln-1 fixed=blocksycve-wp_fixed-1 [+] Container IPs: vuln=172.29.0.4 fixed=172.29.0.3 [+] Setting up blocksycve-wp_vuln-1 (url=http://172.29.0.4)... blocksy-companion-pro 2.1.48 [+] Setting up blocksycve-wp_fixed-1 (url=http://172.29.0.3)... blocksy-companion-pro 2.1.48 [+] Using external container IPs for unauthenticated requests. [+] Created content blocks: vuln id=5 fixed id=5 [+] Slugs: vuln=rce-test-block fixed=rce-test-block === Sending UNAUTHENTICATED request to VULNERABLE build === === Sending UNAUTHENTICATED request to FIXED build === === Verifying VULNERABLE build === RCE_CONFIRMED CMD_OUTPUT: uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data 3bb6d199bbb9 Linux 3bb6d199bbb9 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64 GNU/Linux Response command output: BLOCKSY_RCE_EXECUTED::uid=33(www-data) gid=33(www-data) groups=33(www-data) === Verifying FIXED build (negative control) === ls: cannot access '/tmp/rce_marker.txt': No such file or directory NO_MARKER_FILE Response marker count: 0 (expected 0) === RESULT === Vulnerable build RCE confirmed: 1 (1=yes) Fixed build blocked (negative control): 1 (1=yes) Plugin version (both): vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json [+] Reproduction complete. === CVE-2026-57624 REPRODUCED: unauthenticated RCE confirmed (vulnerable) and blocked (fixed) === === CVE-2026-57624 reproduction starting at Sun Jul 5 10:16:32 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Pro plugin present: /data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle/artifacts/blocksy-companion-pro-v2.1.48.zip [+] Extracting Pro plugin to build vulnerable/fixed variants... Vulnerable code-editor.php built (ct_allow_code_editor guard reverted). [+] Build sanity: fixed guard occurrences=1 (expect >=1), vuln guard occurrences=0 (expect 0) [+] Starting Docker stack... [+] Waiting for WordPress containers to be ready... NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS blocksycve-db-1 mariadb:10.11 "docker-entrypoint.s…" db 11 seconds ago Up 11 seconds (healthy) 3306/tcp blocksycve-wp_fixed-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_fixed 11 seconds ago Up Less than a second 0.0.0.0:28091->80/tcp, [::]:28091->80/tcp blocksycve-wp_vuln-1 wordpress:php8.2-apache "docker-entrypoint.s…" wp_vuln 11 seconds ago Up Less than a second 0.0.0.0:28090->80/tcp, [::]:28090->80/tcp [+] Resolved containers: vuln=blocksycve-wp_vuln-1 fixed=blocksycve-wp_fixed-1 [+] Container IPs: vuln=172.29.0.3 fixed=172.29.0.4 [+] Setting up blocksycve-wp_vuln-1 (url=http://172.29.0.3)... blocksy-companion-pro 2.1.48 [+] Setting up blocksycve-wp_fixed-1 (url=http://172.29.0.4)... blocksy-companion-pro 2.1.48 [+] Using external container IPs for unauthenticated requests. [+] Created content blocks: vuln id=5 fixed id=5 [+] Slugs: vuln=rce-test-block fixed=rce-test-block === Sending UNAUTHENTICATED request to VULNERABLE build === === Sending UNAUTHENTICATED request to FIXED build === === Verifying VULNERABLE build === RCE_CONFIRMED CMD_OUTPUT: uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13c Linux a537d333d13c 7.0.14-arch1-1 #1 SMP PREEMPT_DYNAMIC Sat, 27 Jun 2026 16:15:10 +0000 x86_64 GNU/Linux Response command output: BLOCKSY_RCE_EXECUTED::uid=33(www-data) gid=33(www-data) groups=33(www-data) === Verifying FIXED build (negative control) === ls: cannot access '/tmp/rce_marker.txt': No such file or directory NO_MARKER_FILE Response marker count: 0 (expected 0) === RESULT === Vulnerable build RCE confirmed: 1 (1=yes) Fixed build blocked (negative control): 1 (1=yes) Plugin version (both): vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json [+] Reproduction complete. === CVE-2026-57624 REPRODUCED: unauthenticated RCE confirmed (vulnerable) and blocked (fixed) ===