{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP GET to a published ct_content_block single-view URL; the code-editor Gutenberg block render_callback executes eval() on the block innerHTML via the standard WP do_blocks path (no ct_allow_code_editor context flag).",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "mariadb:10.11",
    "wordpress:php8.2-apache (WP 7.0)",
    "Blocksy theme 2.1.48",
    "Blocksy Companion Pro 2.1.48 (vulnerable build: ct_allow_code_editor guard reverted)",
    "Blocksy Companion Pro 2.1.48 (fixed build)"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vuln_marker.txt",
    "logs/fixed_marker_check.txt",
    "logs/code-editor-fix-diff.txt",
    "artifacts/http/vuln_response.html",
    "artifacts/http/fixed_response.html",
    "artifacts/code-editor.vuln.php",
    "artifacts/code-editor.fixed.php"
  ],
  "notes": "Unauthenticated command execution observed on vulnerable build (marker file written by www-data; shell_exec output uid=33(www-data) in HTTP response). Fixed build (2.1.48) blocks execution (ct_allow_code_editor guard). Code-injection of the code-editor block content is the companion IDOR CVE-2026-57630 (separate CVE); the CVE-2026-57624 RCE primitive demonstrated here is the unauthenticated eval execution. confirmed_vuln=1 blocked_fixed=1 cmd_echo=BLOCKSY_RCE_EXECUTED::uid=33(www-data) gid=33(www-data) groups=33(www-data)"
}