{
  "repository": "wordpress.org/plugins/salesmanago",
  "commit_source": "release_tag_resolution",
  "commit_sha": null,
  "submitted_target": {
    "target_kind": "wordpress_plugin_release",
    "commit_sha": null,
    "version": "3.11.2",
    "ref": "3.11.2",
    "display": "SALESmanago & Leadoo 3.11.2 (vulnerable; CVE-2026-10835 target)",
    "download_url": "https://downloads.wordpress.org/plugin/salesmanago.3.11.2.zip",
    "artifact_sha256": "64bbc8db782bcc5ff76fb7bb0028a205f6caeb598bb6999a05181bac1b6fb1b1",
    "plugin_header_version": "3.11.2",
    "composer_version": "3.11.2"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin_release",
    "commit_sha": null,
    "version": "3.11.3",
    "ref": "3.11.3",
    "display": "SALESmanago & Leadoo 3.11.3 (fixed; bypass ruled out with HTTP 403)",
    "download_url": "https://downloads.wordpress.org/plugin/salesmanago.3.11.3.zip",
    "artifact_sha256": "67dfbcc5bbbbb6b4c9879c59fc0c17bc6ade2b9211dec306ed5bcca00d678341",
    "plugin_header_version": "3.11.3",
    "composer_version": "3.11.3"
  },
  "runtime_image": {
    "image": "wordpress:6.7-php8.2-apache",
    "repo_digest": "wordpress@sha256:85c7d25eaf9726eeff21adad930aa43d2894bd73e9253ab250737b6d994a1181",
    "db_image": "mysql:8.0"
  },
  "notes": "The SALESmanago & Leadoo plugin is distributed as an official WordPress.org plugin zip (no public git source mirror was used), so there is no git commit_sha. The exact tested source is pinned by the WordPress.org release version plus the SHA-256 of the downloaded plugin zip. The variant (alternate entry point salesmanago_export_contacts) was CONFIRMED on the vulnerable 3.11.2 release (zip sha256 64bbc8db...) and the bypass was RULED OUT on the fixed 3.11.3 release (zip sha256 67dfbcc5...), which returns HTTP 403 for an authenticated Subscriber. Both zips were extracted under bundle/artifacts/salesmanago-{3.11.2,3.11.3}/ and the plugin header Version + composer.json version confirm the release identity."
}
