{
  "variant_id": "cve-2026-11387-smsalert-ultimatemember-alt-trigger",
  "created_at": "2026-07-05T11:00:28Z",
  "variant_summary": "UltimateMember integration (class-ultimatemember.php, option=smsalert-um-reset-pwd-action reached via um_reset_password_process_hook) is a materially different unauthenticated entry point that reaches the same handleSmsalertChangedPwd()->reset_password() sink without OTP validation. Runtime-reproduced on vulnerable 3.9.5 (admin password reset without OTP); blocked on patched 3.9.6. Alternate trigger, NOT a bypass.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "wordpress-plugin:sms-alert",
  "submitted_target": {
    "target_kind": "wordpress_plugin",
    "version": "3.9.5",
    "ref": "sms-alert.3.9.5",
    "display": "sms-alert 3.9.5 — WPResetPassword entry point (option=smsalert-change-password-form)"
  },
  "variant_target": {
    "target_kind": "wordpress_plugin",
    "version": "3.9.5",
    "commit_sha": "release:3.9.5",
    "ref": "sms-alert.3.9.5",
    "display": "sms-alert 3.9.5 — UltimateMember entry point (option=smsalert-um-reset-pwd-action)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "UltimateMember password-reset core page (?page_id=<um_pwd_page>) POST _um_password_reset=1&username_b=<admin> (fires um_reset_password_process_hook -> SMSAlert smsalertUmResetPwdSubmitted poisons $_SESSION), then POST ?option=smsalert-um-reset-pwd-action&smsalert_user_newpwd=<pwd>&smsalert_user_cnfpwd=<pwd> (handleForm dispatch -> handleSmsalertChangedPwd -> reset_password). Requires UltimateMember plugin active, smsalert_general[reset_password]=on, smsalert_general[buyer_signup_otp]=on, target billing_phone set.",
  "attacker_controlled_input": "Unauthenticated POST body: _um_password_reset=1&username_b=<target_user>; then option=smsalert-um-reset-pwd-action&smsalert_user_newpwd=<attacker_pwd>&smsalert_user_cnfpwd=<attacker_pwd>. Shared PHPSESSID cookie across both requests.",
  "trigger_path": "POST ?page_id=<um_pwd> (_um_password_reset=1&username_b=admin) -> um_reset_password_process_hook -> UltimateMember::smsalertUmResetPwdSubmitted() -> SmsAlertUtility::initialize_transaction('SA_UM_RESET_PWD') + startOtpTransaction() -> smsalert_site_challenge_otp() sets $_SESSION['user_login']='admin' (before OTP API call) -> POST ?option=smsalert-um-reset-pwd-action -> UltimateMember::handleForm() -> handleSmsalertChangedPwd() -> reset_password($admin,$attacker_pwd)",
  "observed_impact_class": "privilege_escalation",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "is_bypass": false,
  "variant_outcome": "alternate_trigger_confirmed_not_bypass",
  "variant_reproduced_on_vulnerable": true,
  "variant_blocked_on_fixed": true,
  "claim_block_reason": null,
  "blocking_mitigation": "3.9.6 UltimateMember::handleForm() dispatch now requires $_SESSION['SA_UM_RESET_PWD'] === 'validated' (set only in handle_post_verification after real OTP success); attack returns HTTP 200 with no password change on 3.9.6.",
  "file_path": "handler/forms/class-ultimatemember.php",
  "line_start": 88,
  "line_end": 90,
  "secondary_anchors": [
    {
      "file_path": "handler/forms/class-ultimatemember.php",
      "line_start": 270,
      "line_end": 289
    },
    {
      "file_path": "handler/forms/class-ultimatemember.php",
      "line_start": 337,
      "line_end": 352
    },
    {
      "file_path": "handler/smsalert_form_handler.php",
      "line_start": 88,
      "line_end": 95
    }
  ],
  "review_scope_paths": [
    "handler/forms/class-ultimatemember.php",
    "handler/forms/class-wpresetpassword.php",
    "handler/smsalert_form_handler.php",
    "helper/sessionVars.php",
    "helper/utility.php"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/vuln_variant_reproduction.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh"
    ]
  }
}
