{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP requests to three distinct rendering paths that reach the code-editor block eval() sink: (1) a frontend page embedding a content block via [blocksy-content-block] shortcode -> ContentBlocksRenderer; (2) the ct_content_block single-view URL -> do_blocks; (3) admin-ajax.php?action=blc_retrieve_popup_content (wp_ajax_nopriv, nonce-less) -> ContentBlocksRenderer in an AJAX context.",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "mariadb:10.11",
    "wordpress:php8.2-apache (WP 7.0)",
    "Blocksy theme 2.1.48",
    "Blocksy Companion Pro 2.1.48 (fixed build = original 2.1.48, ct_allow_code_editor guard present)",
    "Blocksy Companion Pro 2.1.48 (vulnerable build = 2.1.48 with ct_allow_code_editor guard reverted)"
  ],
  "test_matrix": {
    "test1_content_blocks_renderer_frontend": {
      "vuln_executed": true,
      "fixed_executed": true,
      "note": "ContentBlocksRenderer path (shortcode/hook/inline-popup). flag set + is_admin false => eval runs. Executes on FIXED = intended post-fix behaviour per vendor changelog."
    },
    "test2_do_blocks_single_view": {
      "vuln_executed": true,
      "fixed_executed": false,
      "note": "Original repro surface. flag NOT set => ct_allow_code_editor guard blocks on FIXED."
    },
    "test3_popup_ajax_nopriv": {
      "vuln_executed": false,
      "fixed_executed": false,
      "note": "admin-ajax.php => is_admin() true => is_admin() guard blocks on both builds (vuln build keeps is_admin guard)."
    }
  },
  "fixed_version_alternate_trigger_confirmed": true,
  "classification": "alternate_trigger_on_fixed_intended_behaviour",
  "bypass_in_isolation": false,
  "combined_exploit_residual_risk": "With the separate unauthenticated injection CVE-2026-57630 (companion IDOR), an attacker can place a code-editor block in a content block rendered as a popup/hook/shortcode; unauthenticated page loads then trigger eval() on FIXED (patched) builds via the ContentBlocksRenderer path. The CVE-2026-57624 fix alone does NOT fully remediate unauthenticated RCE when 57630 is unpatched.",
  "boundary_ok": true,
  "proof_artifacts": [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/t1_fixed_marker.txt",
    "logs/vuln_variant/t1_vuln_marker.txt",
    "logs/vuln_variant/t2_fixed_marker.txt",
    "logs/vuln_variant/t2_vuln_marker.txt",
    "logs/vuln_variant/t3_fixed_marker.txt",
    "logs/vuln_variant/t3_vuln_marker.txt",
    "vuln_variant/http/fixed_shortcode_page.html",
    "vuln_variant/http/vuln_shortcode_page.html",
    "vuln_variant/http/fixed_singleview.html",
    "vuln_variant/http/vuln_singleview.html",
    "vuln_variant/http/fixed_popup_ajax.json",
    "vuln_variant/http/vuln_popup_ajax.json"
  ],
  "notes": "TEST1 fixed echo: BLOCKSY_VARIANT_RCE::uid=33(www-data) gid=33(www-data) groups=33(www-data). TEST1 executes on FIXED because ContentBlocksRenderer sets ct_allow_code_editor and is_admin() is false on the frontend; the fix deliberately permits execution in the explicit renderer context (vendor changelog: 'restrict execution to explicit renderer context'). This is therefore NOT a standalone bypass of CVE-2026-57624; the residual surface is gated by content-block authoring (manage_options), breached separately by CVE-2026-57630."
}