{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP POST to /wp-admin/admin-ajax.php?action=de_fb_image_upload in the original Divi Form Builder v5.1.2 plugin; GET of /wp-content/uploads/de_fb_uploads/*.phtml executes via Apache/PHP",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "apache",
    "mod_php",
    "mariadb",
    "wordpress",
    "original divi-form-builder 5.1.2"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/source_identity.txt",
    "logs/vuln_attempt_1/upload_response.json",
    "logs/vuln_attempt_1/execution_response.txt",
    "logs/vuln_attempt_1/result.json",
    "logs/vuln_attempt_2/upload_response.json",
    "logs/vuln_attempt_2/execution_response.txt",
    "logs/vuln_attempt_2/result.json",
    "logs/fixed_attempt_1/upload_response.json",
    "logs/fixed_attempt_1/execution_response.txt",
    "logs/fixed_attempt_1/result.json",
    "logs/fixed_attempt_2/upload_response.json",
    "logs/fixed_attempt_2/execution_response.txt",
    "logs/fixed_attempt_2/result.json",
    "logs/apache_access.log",
    "logs/apache_error.log",
    "logs/fixed_patch.diff"
  ],
  "notes": "Confirmed: original Divi Form Builder v5.1.2 accepts attacker-controlled acceptFileTypes=phtml|phar|php5|php7, stores a .phtml payload in /wp-content/uploads/de_fb_uploads/, and Apache/PHP executes it. The local fixed patch rejects the executable extension list before upload."
}