{
  "variant_outcome": "alternate_trigger_confirmed_not_bypass",
  "is_bypass": false,
  "distinct_variant_confirmed": true,
  "variant_reproduced_on_vulnerable": true,
  "variant_blocked_on_fixed": true,
  "variant_summary": "UltimateMember integration (class-ultimatemember.php, option=smsalert-um-reset-pwd-action reached via um_reset_password_process_hook) is a materially different unauthenticated entry point that reaches the same handleSmsalertChangedPwd()->reset_password() sink without OTP validation. Reproduced on 3.9.5; the 3.9.6 fix covers it (adds the $_SESSION['SA_UM_RESET_PWD']==='validated' gate in handleForm() and sets it in handle_post_verification()).",
  "claim_block_reason": null,
  "blocking_mitigation": "3.9.6 handleForm() dispatch now requires the form-specific session var ($_SESSION['SA_UM_RESET_PWD']) to equal 'validated', which is only set after a successful OTP validation (otp_verification_successful -> handle_post_verification).",
  "root_cause_class": "missing_identity_validation_before_privileged_action",
  "observed_impact_class": "privilege_escalation",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "end_to_end_target_reached": true,
  "inferred": false,
  "timestamp": "2026-07-05T11:00:28Z"
}
