{
  "variant_id": "cve-2026-10835-salesmanago-export_contacts-alt-entrypoint",
  "created_at": "2026-07-05",
  "variant_summary": "Alternate entry point to the same SQL-injection sink as the parent CVE-2026-10835 claim. The parent repro exploited salesmanago_export_count_contacts (ExportController::countContacts -> ExportModel::getExportContactsQuery(true) -> $wpdb->get_var). This variant uses the sibling AJAX action salesmanago_export_contacts (ExportController::exportContacts -> ExportModel::getExportContactsQuery(false) -> $wpdb->get_results), which shares the identical unsanitized dateFrom string-interpolation sink and the identical SecureHelper::validate_ajax_nonce() early-return-without-die authorization-bypass defect in 3.11.2. Confirmed end-to-end on vulnerable 3.11.2: a time-based blind SLEEP payload delivered via the export_contacts action produced response delays scaling linearly with N (0.073s -> 6.068s -> 12.012s) from an authenticated Subscriber with no nonce, proving the alternate entry point reaches the same in-DBMS SQLi sink. Ruled out as a bypass: on fixed 3.11.3 the same payload is blocked with HTTP 403 (the patched validate_ajax_nonce dies for non-admins, the handler adds a manage_options gate, parseArgs validates dateFrom, and getExportContactsQuery uses $wpdb->prepare). Outcome: distinct alternate-trigger variant (not a bypass).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "wordpress.org/plugins/salesmanago",
  "submitted_target": {
    "target_kind": "wordpress_plugin_release",
    "commit_sha": null,
    "version": "3.11.2",
    "ref": "3.11.2",
    "display": "SALESmanago & Leadoo 3.11.2 (vulnerable; CVE-2026-10835 target; zip sha256 64bbc8db...)"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin_release",
    "commit_sha": null,
    "version": "3.11.3",
    "ref": "3.11.3",
    "display": "SALESmanago & Leadoo 3.11.3 (fixed; variant ruled out / blocked with HTTP 403; zip sha256 67dfbcc5...)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "POST /wp-admin/admin-ajax.php with action=salesmanago_export_contacts, authenticated Subscriber session (no nonce required in 3.11.2), data=<base64 JSON with injected dateFrom and packageCount=1>",
  "attacker_controlled_input": "base64-encoded JSON 'data' request parameter, 'dateFrom' field (raw, unsanitized in 3.11.2 parseArgs); packageCount=1 supplied to satisfy the exportContacts `if (getPackageCount())` guard so the vulnerable query executes",
  "trigger_path": "POST /wp-admin/admin-ajax.php (authenticated Subscriber, no nonce required in 3.11.2) -> ExportController::exportContacts() -> SecureHelper::validate_ajax_nonce('salesmanago_count_contacts') (returns false for non-admin WITHOUT dying) -> ExportModel::parseArgs() (unsanitized $data->dateFrom assigned to $this->dateFrom) -> if(getPackageCount()) passes (packageCount=1) -> ExportModel::getExportContactsQuery(false) (direct string interpolation: A.post_date >= '{$this->dateFrom}') -> $wpdb->get_results($query, ARRAY_A) -> SLEEP/UNION SQL executes in the DBMS",
  "observed_impact_class": "sql_injection",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "3.11.3 blocks this variant: (1) SecureHelper::validate_ajax_nonce() now wp_send_json_error(403)-and-dies when the request action mismatches, is not in AJAX_ACTIONS, has a bad nonce, or the user lacks manage_options; (2) ExportController::exportContacts() adds an explicit current_user_can('manage_options') gate and corrects the action name to 'salesmanago_export_contacts'; (3) ExportModel::parseArgs() validates dateFrom via sanitize_text_field()+validate_date_format(); (4) ExportModel::getExportContactsQuery() uses $wpdb->prepare() with %s placeholders. Verified: fixed 3.11.3 returns HTTP 403 for a Subscriber on this variant with no timing differential.",
  "file_path": "src/Admin/Controller/ExportController.php",
  "line_start": 122,
  "line_end": 131,
  "secondary_anchors": [
    {
      "file_path": "src/Admin/Model/ExportModel.php",
      "line_start": 341,
      "line_end": 406,
      "note": "getExportContactsQuery() \u2014 shared SQLi sink: A.post_date >= '{$this->dateFrom}' string interpolation (line 403)"
    },
    {
      "file_path": "src/Admin/Model/ExportModel.php",
      "line_start": 138,
      "line_end": 148,
      "note": "parseArgs() \u2014 unsanitized $this->dateFrom = $data->dateFrom (lines 142-144)"
    },
    {
      "file_path": "src/Includes/SecureHelper.php",
      "line_start": 81,
      "line_end": 104,
      "note": "validate_ajax_nonce() \u2014 early return false for non-admins without dying (line 82-83)"
    },
    {
      "file_path": "src/Admin/Controller/ExportController.php",
      "line_start": 62,
      "line_end": 69,
      "note": "registerActions() \u2014 wp_ajax_salesmanago_export_contacts registration (line 64)"
    }
  ],
  "review_scope_paths": [
    "src/Admin/Controller/ExportController.php",
    "src/Admin/Model/ExportModel.php",
    "src/Includes/SecureHelper.php",
    "src/Admin/Admin.php",
    "src/Admin/SmRestApi.php",
    "src/Admin/Controller/CronController.php",
    "src/Frontend/Model/RestApiModel.php",
    "src/Frontend/Plugins/Wc/WcCartRecoveryModel.php"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/run.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}