{
  "repository": "wordpress-plugin:sms-alert",
  "commit_source": "release_tag_resolution",
  "commit_sha": "release:3.9.5",
  "submitted_target": {
    "target_kind": "wordpress_plugin",
    "version": "3.9.5",
    "ref": "sms-alert.3.9.5",
    "display": "sms-alert 3.9.5 — WPResetPassword entry point (option=smsalert-change-password-form)"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin",
    "version": "3.9.5",
    "commit_sha": "release:3.9.5",
    "ref": "sms-alert.3.9.5",
    "display": "sms-alert 3.9.5 — UltimateMember entry point (option=smsalert-um-reset-pwd-action)"
  },
  "fixed_target_tested": {
    "target_kind": "wordpress_plugin",
    "version": "3.9.6",
    "commit_sha": "changeset:3587983",
    "ref": "sms-alert.3.9.6",
    "display": "sms-alert 3.9.6 (patched; wordpress.org changeset 3587983) — UM attack blocked"
  },
  "resolution_method": "The sms-alert plugin is distributed via wordpress.org as release ZIPs (SVN-backed), not a git repository. The exact tested revisions were resolved from the release ZIP 'Stable tag' headers: 3.9.5 (vulnerable, variant reproduced) and 3.9.6 (patched, attack blocked). The fix corresponds to wordpress.org trac changeset 3587983 (https://plugins.trac.wordpress.org/changeset/3587983/sms-alert). No git commit SHA is available; 'release:3.9.5' / 'changeset:3587983' are the canonical revision identifiers for this distribution model.",
  "verified_artifacts": {
    "vulnerable_zip": "bundle/artifacts/sms-alert-3.9.5.zip (Stable tag: 3.9.5)",
    "fixed_zip": "bundle/artifacts/sms-alert-3.9.6.zip (Stable tag: 3.9.6)",
    "ultimatemember_version": "2.12.0 (wordpress.org release)"
  },
  "notes": "Both the vulnerable (3.9.5) and fixed (3.9.6) versions were installed from the cached release ZIPs via wp-cli and tested at runtime in this variant run. The variant (UM alternate trigger) was confirmed on 3.9.5 and verified blocked on 3.9.6."
}
