{
  "parent_cve": "CVE-2026-57624",
  "variant_id": "CVE-2026-57624-variant-contentblocksrenderer-frontend",
  "same_root_cause": true,
  "confidence": "high",
  "sink": {
    "file": "framework/premium/features/code-editor.php",
    "class": "Blocksy\\CodeEditor",
    "method": "get_eval_content",
    "line": 119,
    "call": "eval('?' . '>' . $inline_code . $ending)"
  },
  "parent_trigger": {
    "entry": "Unauthenticated GET /ct_content_block/<slug>/ (do_blocks single-view)",
    "renderer": "WordPress core do_blocks() / render_block()",
    "flag_set": false,
    "is_admin": false,
    "result_vuln": "eval executes",
    "result_fixed": "blocked by guard B (ct_allow_code_editor absent)"
  },
  "variant_trigger": {
    "entry": "Unauthenticated GET /<page>/ that renders a content block via [blocksy-content-block] shortcode / hook / inline popup",
    "renderer": "Blocksy ContentBlocksRenderer (extends CustomPostTypeRenderer)",
    "flag_set": true,
    "flag_set_by": "CustomPostTypeRenderer::mark_code_editor_blocks() via blocksy:block-parser:result filter (parse_blocks_with_code_editor_mark)",
    "is_admin": false,
    "result_vuln": "eval executes",
    "result_fixed": "eval executes (flag set + is_admin false => both guards pass)"
  },
  "equivalence_reasoning": "Both the parent and the variant reach the identical eval() sink (Blocksy\\CodeEditor::get_eval_content) on the identical attacker-controlled input (the code-editor block innerHTML / code attribute). The only difference is the rendering path that supplies the parsed block to the render_callback: the parent uses WP core do_blocks() (flag never set), the variant uses Blocksy ContentBlocksRenderer (flag set by mark_code_editor_blocks). The trust boundary is identical in both cases: the code-editor block content is authored by a user with content-block capability (manage_options) or injected via the separate CVE-2026-57630 IDOR; the unauthenticated HTTP request is the trigger. The fix closes the parent path (guard B blocks when flag absent) but intentionally leaves the variant path open (guard B passes when flag set, guard A passes on the frontend).",
  "surface_difference": "Different entry point (frontend page-load rendering a content block via ContentBlocksRenderer vs. ct_content_block single-view URL via do_blocks) and different renderer (ContentBlocksRenderer vs. WP core block renderer). Same sink, same input field, same trust boundary.",
  "secondary_candidates": [
    {
      "candidate": "Popup AJAX endpoint blc_retrieve_popup_content (wp_ajax_nopriv, nonce-less)",
      "same_sink": true,
      "reproduces_on_fixed": false,
      "blocked_by": "guard A (is_admin() true for admin-ajax.php)",
      "same_root_cause": true,
      "notes": "Reaches ContentBlocksRenderer (flag set) but is_admin() guard blocks eval on both builds. On a hypothetical fully-vulnerable <=2.1.46 with both guards absent this would be an unauthenticated alternate trigger; not testable (commercial build unavailable)."
    },
    {
      "candidate": "Mega-menu AJAX endpoint blc_retrieve_mega_menu_content (wp_ajax_nopriv, nonce-less)",
      "same_sink": true,
      "reproduces_on_fixed": false,
      "blocked_by": "guard A (is_admin() true for admin-ajax.php)",
      "same_root_cause": true,
      "notes": "Same mechanism as popup AJAX; blocked by is_admin() guard."
    },
    {
      "candidate": "REST block renderer /wp-json/wp/v2/block-renderer/blocksy-companion-pro/code-editor",
      "same_sink": true,
      "reproduces_on_fixed": false,
      "blocked_by": "WP core: edit_posts capability required (401 unauthenticated) + code-editor block has no attributes schema (rest_additional_properties_forbidden)",
      "same_root_cause": true,
      "notes": "Not an unauthenticated vector (verified in parent RCA)."
    }
  ],
  "conclusion": "The variant shares the same root cause (unguarded eval of code-editor block content) and the same sink as the parent CVE. It is a distinct alternate entry point that the fix intentionally does not cover (ContentBlocksRenderer is the allowed context). It is therefore the same underlying bug reachable from a different entry point, classified as intended behaviour rather than a standalone bypass."
}
