{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP requests (separate Docker-network client container -> WordPress service by container name) carrying the crafted premmerce_wishlist SLEEP cookie to four candidate entry points: REST /add/popup GET, wc-ajax premmerce_wishlist_popup GET, REST /add POST, and the frontend wishlist page GET.",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "mariadb:11.4",
    "wordpress:6.7.2-php8.2-apache",
    "woocommerce 8.9.3",
    "premmerce-woocommerce-wishlist 1.1.11/1.1.12/1.1.13"
  ],
  "proof_artifacts": [
    "vuln_variant/artifacts/c0_fixed.body",
    "vuln_variant/artifacts/c0_latest.body",
    "vuln_variant/artifacts/c0_vuln.body",
    "vuln_variant/artifacts/c1_fixed.body",
    "vuln_variant/artifacts/c1_latest.body",
    "vuln_variant/artifacts/c1_vuln.body",
    "vuln_variant/artifacts/c2_fixed.body",
    "vuln_variant/artifacts/c2_latest.body",
    "vuln_variant/artifacts/c2_vuln.body",
    "vuln_variant/artifacts/c3_fixed.body",
    "vuln_variant/artifacts/c3_latest.body",
    "vuln_variant/artifacts/c3_vuln.body"
  ],
  "oracle": "time-based blind SLEEP(5) in the cookie-derived IN (...) SQL; sleep >= 4.0s => injection fired; < 3.0s => no injection.",
  "candidate_labels": [
    "c0_baseline_add_popup_GET",
    "c1_wc_ajax_popup_GET",
    "c2_rest_add_POST",
    "c3_page_render_GET"
  ],
  "vulnerable_1111_sleep_seconds": [
    5.19668,
    6.053645,
    5.156079,
    5.138215
  ],
  "fixed_1112_sleep_seconds": [
    0.107576,
    0.042549,
    0.074162,
    0.103984
  ],
  "latest_1113_sleep_seconds": [
    0.120578,
    0.04077,
    0.075403,
    0.099767
  ],
  "vulnerable_sleep_count": 4,
  "fixed_sleep_count": 0,
  "latest_sleep_count": 0,
  "vulnerable_baseline_c0_sleeps": true,
  "bypass_on_fixed_or_latest": false,
  "confirmation_status": "no_bypass",
  "notes": "All four candidate entry points fire SLEEP on vulnerable 1.1.11 (real alternate triggers of the same cookie->concatenation root cause). None fire SLEEP on fixed 1.1.12 or latest 1.1.13. The 1.1.12 fix is defense-in-depth: cookieGet() validates keys with ^[a-zA-Z0-9]{1,13}$ AND every WishlistModel sink is parameterized with $wpdb->prepare(). 1.1.12 and 1.1.13 are byte-identical in security-relevant code. No bypass found."
}