{
  "claim_outcome": "variant_not_bypass",
  "claim_block_reason": null,
  "variant_type": "alternate_entry_point",
  "variant_endpoint": "salesmanago_export_contacts",
  "parent_endpoint": "salesmanago_export_count_contacts",
  "shared_sink": "ExportModel::getExportContactsQuery() (A.post_date >= '{$this->dateFrom}' string interpolation)",
  "reproduced_on_vulnerable": true,
  "reproduced_on_fixed": false,
  "is_bypass": false,
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "sql_injection",
  "observed_impact_class": "sql_injection",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "base64-encoded JSON 'data' request parameter, 'dateFrom' field, sent to /wp-admin/admin-ajax.php action=salesmanago_export_contacts by an authenticated Subscriber (packageCount=1 to satisfy the exportContacts guard)",
  "trigger_path": "POST /wp-admin/admin-ajax.php (authenticated Subscriber, no nonce required in 3.11.2) -> ExportController::exportContacts() -> SecureHelper::validate_ajax_nonce() (returns false but does not die for non-admins) -> ExportModel::parseArgs() (unsanitized $data->dateFrom) -> ExportModel::getExportContactsQuery(false) (direct string interpolation A.post_date >= '{$this->dateFrom}') -> $wpdb->get_results()",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": "3.11.3 patches: (1) validate_ajax_nonce() now calls wp_send_json_error(403) which dies for non-admin/bad-nonce/unknown-action; (2) each export handler adds an explicit current_user_can('manage_options') gate; (3) parseArgs() validates dateFrom via sanitize_text_field()+validate_date_format(); (4) getExportContactsQuery() uses $wpdb->prepare() with %s placeholders. Fixed 3.11.3 returns HTTP 403 for the Subscriber on this variant.",
  "inferred": false
}