{
  "ticket_id": "CVE-2026-57624",
  "stage": "vuln_variant",
  "verdict": "alternate_trigger_confirmed_on_fixed_not_standalone_bypass",
  "outcome": "distinct_alternate_trigger_reproduces_on_fixed",
  "bypass_in_isolation": false,
  "is_bypass": false,
  "is_variant": true,
  "confirmed": true,
  "summary": "A distinct alternate trigger for the CVE-2026-57624 eval() sink was empirically confirmed on the PATCHED (2.1.48) build: an unauthenticated GET to a page that embeds a Blocksy content block (via [blocksy-content-block] shortcode) — or any frontend render of a content block as a hook/inline-popup — causes the code-editor block render_callback to eval() the block content, executing commands as www-data. This survives the fix because the fix's ct_allow_code_editor guard deliberately permits execution inside ContentBlocksRenderer (the 'explicit renderer context') and is_admin() is false on the frontend. This is INTENDED post-fix behaviour per the vendor changelog, so it is NOT a standalone security bypass of CVE-2026-57624; it is a residual unauthenticated eval-triggering surface gated by content-block authoring (manage_options), which is breached separately by CVE-2026-57630 (IDOR). Combined with 57630, unauthenticated RCE persists on patched builds.",
  "test_matrix": {
    "test1_content_blocks_renderer_frontend": {
      "path": "GET /<page-with-[blocksy-content-block]/> (ContentBlocksRenderer frontend; also covers inline popup + hook)",
      "vuln_build": "executed",
      "fixed_build": "executed",
      "interpretation": "alternate trigger; survives fix; intended behaviour (flag set + is_admin false)"
    },
    "test2_do_blocks_single_view": {
      "path": "GET /ct_content_block/<slug>/ (original repro surface)",
      "vuln_build": "executed",
      "fixed_build": "blocked",
      "interpretation": "fix works on its stated surface (ct_allow_code_editor guard)"
    },
    "test3_popup_ajax_nopriv": {
      "path": "POST admin-ajax.php action=blc_retrieve_popup_content (wp_ajax_nopriv, nonce-less)",
      "vuln_build": "blocked",
      "fixed_build": "blocked",
      "interpretation": "is_admin() guard blocks AJAX context on both builds"
    }
  },
  "fix_coverage_assessment": {
    "covers": ["do_blocks single-view of ct_content_block", "AJAX-context rendering via admin-ajax.php (popup + mega-menu nopriv endpoints)", "REST block renderer (already edit_posts-gated)"],
    "does_not_cover": ["frontend ContentBlocksRenderer rendering (shortcode, hook, inline popup, inline mega-menu walker, single/archive templates)"],
    "does_not_cover_is_intended": true,
    "fix_is_sound": true,
    "fix_logic_flaw_found": false,
    "complete_for_stated_scope": true,
    "complete_against_combined_57624_plus_57630_threat": false
  },
  "blocking_mitigation": "The ct_allow_code_editor guard (guard B) blocks the do_blocks single-view path on the fixed build; the is_admin() guard (guard A) blocks AJAX-context rendering. The residual ContentBlocksRenderer frontend path is intentionally allowed and is gated by content-block authoring capability (manage_options), which is the separate CVE-2026-57630 (IDOR) boundary.",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Unauthenticated HTTP GET to a published page/post that renders a Blocksy content block (via [blocksy-content-block] shortcode, a hook location, or an inline popup) whose post_content contains a blocksy-companion-pro/code-editor block. The ContentBlocksRenderer marks the code-editor block as ct_allow_code_editor=true; is_admin() is false on the frontend; the render_callback eval()s the block innerHTML.",
  "attacker_controlled_input": "code-editor block innerHTML / code attribute (the PHP source passed to eval). Authoring is gated by manage_options for ct_content_block; unauthenticated injection is the separate CVE-2026-57630 (IDOR).",
  "trigger_path": "ContentBlocks shortcode/hook/popup -> output_hook() -> new ContentBlocksRenderer($id) -> get_content() -> CustomPostTypeRenderer::parse_blocks_with_code_editor_mark() (sets ct_allow_code_editor) -> render_block() -> CodeEditor render_callback (is_admin false, flag set) -> get_eval_content() -> eval('?>'.$code)",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high_for_execution_primitive_medium_for_end_to_end",
  "evidence_scope": "runtime_backed_differential_on_vuln_and_fixed_builds",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "residual_risk": "With CVE-2026-57630 (IDOR), an attacker can inject a code-editor block into a content block rendered as a popup/hook/shortcode; unauthenticated page loads then trigger eval() on FIXED builds. The 57624 fix alone does NOT fully remediate unauthenticated RCE when 57630 is unpatched.",
  "recommendation_for_complete_fix": "Remediate CVE-2026-57630 (IDOR) AND/OR re-check authoring capability at eval time (only execute a code-editor block when the owning content block was last authored by a user who holds manage_options / the custom_post_type capability), and/or disable the code-editor block in content blocks by default.",
  "candidate_variants_ruled_out": [
    {"candidate": "Popup AJAX endpoint blc_retrieve_popup_content (nopriv)", "status": "blocked_on_fixed", "reason": "is_admin() true for admin-ajax.php => guard A returns ''."},
    {"candidate": "Mega-menu AJAX endpoint blc_retrieve_mega_menu_content (nopriv)", "status": "blocked_on_fixed", "reason": "is_admin() true for admin-ajax.php => guard A blocks (same mechanism as popup AJAX)."},
    {"candidate": "REST block renderer /wp-json/wp/v2/block-renderer", "status": "not_a_vector", "reason": "requires edit_posts (401 unauthenticated) + code-editor block has no attributes schema."},
    {"candidate": "code attribute path via ContentBlocksRenderer", "status": "not_attacker_controlled", "reason": "attribute comes from parsed post_content (admin/IDOR authored), not request-controlled at eval time."},
    {"candidate": "Other eval sinks (qubely.php, custom code snippets)", "status": "out_of_scope", "reason": "qubely eval is a fixed class string; code-snippets is a separate admin-gated feature; not the 57624 sink."}
  ],
  "negative_result": false,
  "exit_code": 0,
  "exit_code_meaning": "0 = distinct alternate trigger reproduced on the FIXED (patched) build (TEST1) while the fix blocks its stated surface (TEST2) and AJAX context (TEST3). Not a standalone bypass (intended behaviour); see bypass_in_isolation=false.",
  "evidence_artifacts": [
    "bundle/logs/vuln_variant/reproduction_steps.log",
    "bundle/logs/vuln_variant/t1_fixed_marker.txt",
    "bundle/logs/vuln_variant/t1_vuln_marker.txt",
    "bundle/logs/vuln_variant/t2_fixed_marker.txt",
    "bundle/logs/vuln_variant/t2_vuln_marker.txt",
    "bundle/logs/vuln_variant/t3_fixed_marker.txt",
    "bundle/logs/vuln_variant/t3_vuln_marker.txt",
    "bundle/vuln_variant/http/fixed_shortcode_page.html",
    "bundle/vuln_variant/http/vuln_shortcode_page.html",
    "bundle/vuln_variant/http/fixed_singleview.html",
    "bundle/vuln_variant/http/vuln_singleview.html",
    "bundle/vuln_variant/http/fixed_popup_ajax.json",
    "bundle/vuln_variant/http/vuln_popup_ajax.json",
    "bundle/vuln_variant/runtime_manifest.json",
    "bundle/vuln_variant/patch_analysis.md",
    "bundle/vuln_variant/reproduction_steps.sh",
    "bundle/vuln_variant/source_identity.json",
    "bundle/vuln_variant/root_cause_equivalence.json"
  ]
}
