{
  "variant_id": "CVE-2026-57624-variant-contentblocksrenderer-frontend",
  "created_at": "2026-07-05T10:30:00Z",
  "variant_summary": "Alternate trigger for the CVE-2026-57624 eval() sink that reproduces on the PATCHED (2.1.48) build: an unauthenticated GET to a page that renders a Blocksy content block (via [blocksy-content-block] shortcode, a hook location, or an inline popup) whose post_content contains a blocksy-companion-pro/code-editor block causes the render_callback to eval() the block content (command execution as www-data). This survives the fix because the ct_allow_code_editor guard intentionally permits execution inside ContentBlocksRenderer (the 'explicit renderer context') and is_admin() is false on the frontend. Classified as intended post-fix behaviour, NOT a standalone bypass of CVE-2026-57624; residual unauthenticated eval-triggering surface gated by content-block authoring (manage_options), breached separately by CVE-2026-57630 (IDOR).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "Creative Themes/Blocksy Companion Pro (commercial freemius/GPL-mirror zip; no public VCS)",
  "submitted_target": {
    "target_kind": "wordpress_plugin_zip",
    "commit_sha": null,
    "version": "<=2.1.46",
    "ref": "blocksy-companion-pro <= 2.1.46 (vulnerable per CVE-2026-57624)",
    "display": "Blocksy Companion Pro <= 2.1.46 — unauthenticated RCE via code-editor block (CVE-2026-57624)"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin_zip",
    "commit_sha": "7e5ccb97ab2559f8583cd97be5df1e87a64493f87a6a7e8822e54c9b3e0a8c2b",
    "version": "2.1.48",
    "ref": "blocksy-companion-pro-v2.1.48 (fixed build, guard A is_admin + guard B ct_allow_code_editor present)",
    "display": "Blocksy Companion Pro 2.1.48 (fixed) — in-container framework/premium/features/code-editor.php sha256 7e5ccb97... (plugin zip sha256 df442440...)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Unauthenticated HTTP GET to a published WordPress page/post that renders a Blocksy content block (via the [blocksy-content-block id=..] shortcode, a hook display location, or an inline popup with load_content_with_ajax=no) whose post_content contains a blocksy-companion-pro/code-editor block. ContentBlocksRenderer marks the code-editor block with ct_allow_code_editor=true; is_admin() is false on the frontend; the render_callback eval()s the block innerHTML via get_eval_content().",
  "attacker_controlled_input": "code-editor block innerHTML / code attribute (the PHP source passed to eval). Authoring of ct_content_block is gated by manage_options (custom_post_type capability); unauthenticated injection is the separate CVE-2026-57630 (companion IDOR), out of scope for this variant stage.",
  "trigger_path": "ContentBlocks shortcode/hook/popup -> output_hook($id) -> new ContentBlocksRenderer($id) -> get_content() -> CustomPostTypeRenderer::parse_blocks_with_code_editor_mark() (sets ct_allow_code_editor=true) -> render_block($block) -> CodeEditor render_callback (is_admin()=false passes guard A; ct_allow_code_editor set passes guard B) -> get_eval_content($inline_code) -> eval('?>'.$inline_code.$ending)",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high_for_execution_primitive_medium_for_end_to_end_unauthenticated_injection",
  "evidence_scope": "runtime_backed_differential_on_vuln_and_fixed_builds",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "Not a standalone bypass: the ContentBlocksRenderer frontend execution is INTENDED post-fix behaviour per the vendor changelog ('Code editor block - restrict execution to explicit renderer context'). The fix deliberately permits execution in the explicit renderer context. The residual unauthenticated eval-triggering surface is gated by content-block authoring (manage_options), which is breached separately by CVE-2026-57630 (IDOR).",
  "blocking_mitigation": "ct_allow_code_editor guard (guard B) blocks the do_blocks single-view path on the fixed build; is_admin() guard (guard A) blocks AJAX-context rendering (popup + mega-menu nopriv admin-ajax endpoints). The ContentBlocksRenderer frontend path is intentionally allowed.",
  "file_path": "framework/premium/features/code-editor.php",
  "line_start": 44,
  "line_end": 73,
  "secondary_anchors": [
    {"file_path": "framework/premium/features/render-custom-post-type.php", "line_start": 290, "line_end": 325},
    {"file_path": "framework/premium/features/content-blocks.php", "line_start": 540, "line_end": 560},
    {"file_path": "framework/premium/features/content-blocks/renderer.php", "line_start": 9, "line_end": 20},
    {"file_path": "framework/premium/features/content-blocks/popups.php", "line_start": 38, "line_end": 46}
  ],
  "review_scope_paths": [
    "framework/premium/features/code-editor.php",
    "framework/premium/features/render-custom-post-type.php",
    "framework/premium/features/content-blocks.php",
    "framework/premium/features/content-blocks/renderer.php",
    "framework/premium/features/content-blocks/popups.php",
    "framework/premium/features/content-blocks/templates.php",
    "framework/premium/extensions/mega-menu/includes/api.php",
    "framework/premium/extensions/mega-menu/custom-menu-walker.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/setup_variant.php"
    ]
  }
}
