{
  "repository": "Creative Themes/Blocksy Companion Pro",
  "distribution": "commercial freemius plugin redistributed via GPL mirror as a zip (no public VCS repository available for the Pro plugin)",
  "commit_source": "release_zip_resolution",
  "commit_sha": "7e5ccb97ab2559f8583cd97be5df1e87a64493f87a6a7e8822e54c9b3e0a8c2b",
  "commit_sha_note": "No git commit exists for the commercial Pro plugin (distributed as a zip, not from a public VCS). The value above is the sha256 of the exact tested source file deployed in the fixed container: framework/premium/features/code-editor.php. This is the precise file-level identity of the tested fixed build.",
  "submitted_target": {
    "target_kind": "wordpress_plugin_zip",
    "commit_sha": null,
    "version": "<=2.1.46",
    "ref": "blocksy-companion-pro <= 2.1.46 (vulnerable per CVE-2026-57624)",
    "display": "Blocksy Companion Pro <= 2.1.46"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin_zip",
    "commit_sha": "7e5ccb97ab2559f8583cd97be5df1e87a64493f87a6a7e8822e54c9b3e0a8c2b",
    "version": "2.1.48",
    "ref": "blocksy-companion-pro-v2.1.48 (fixed build: guard A is_admin + guard B ct_allow_code_editor present)",
    "display": "Blocksy Companion Pro 2.1.48 (fixed)"
  },
  "tested_artifacts": {
    "plugin_zip_path": "bundle/artifacts/blocksy-companion-pro-v2.1.48.zip",
    "plugin_zip_sha256": "df44244019dcc7f0fd93ac039dacfc1b8caf821b8f8839b8efef94e47d34062a",
    "fixed_build_zip_path": "bundle/artifacts/blocksy-companion-pro-fixed.zip",
    "fixed_build_zip_sha256": "a7789d5e199108af5ae3964296a88281d4c279df2d223925e01c1ccaa10501c3",
    "fixed_code_editor_php_in_container": "/var/www/html/wp-content/plugins/blocksy-companion-pro/framework/premium/features/code-editor.php",
    "fixed_code_editor_php_sha256": "7e5ccb97ab2559f8583cd97be5df1e87a64493f87a6a7e8822e54c9b3e0a8c2b",
    "fixed_code_editor_php_guard_b_line": 48,
    "vuln_build_description": "same 2.1.48 code with the ct_allow_code_editor guard (guard B) reverted; guard A (is_admin) retained",
    "vuln_code_editor_php_guard_b_present": false
  },
  "runtime_environment": {
    "wordpress_image": "wordpress:php8.2-apache",
    "wordpress_version": "7.0",
    "theme": "Blocksy 2.1.48 (bundle/artifacts/blocksy.zip)",
    "database": "mariadb:10.11",
    "fixed_container": "blocksycve-wp_fixed-1",
    "vuln_container": "blocksycve-wp_vuln-1",
    "plugin_version_reported_by_wp": "2.1.48 (both builds)"
  },
  "notes": "The fixed (patched) target tested is Blocksy Companion Pro 2.1.48 deployed from the GPL-mirror zip, pre-activated (license bypassed) so the Premium/CodeEditor block registers. The exact tested source identity is pinned by the in-container sha256 of code-editor.php (the file containing the CVE-2026-57624 fix) plus the plugin zip sha256. The vulnerable build is the same 2.1.48 with guard B reverted (restoring the pre-fix render-callback state); guard A is retained. No public git history is available for the commercial Pro plugin, so a true VCS commit sha cannot be provided."
}
