– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-24593:
The AWP Classifieds plugin for WordPress versions up to and including 4.4.3 contains an unauthenticated information exposure vulnerability. This flaw allows attackers to extract sensitive user or configuration data without authentication. The vulnerability resides in the listing preview generation functionality, which lacked proper authorization checks.

Root Cause:
The vulnerability exists in the `AWPCP_GenerateListingPreviewAjaxHandler` class within `/includes/frontend/class-generate-listing-preview-ajax-handler.php`. The `ajax()` method (lines 44-54) directly processes user-supplied listing IDs without verifying the requester’s authorization. The method accepts a POST parameter `ad_id` and retrieves the corresponding listing object. No nonce verification or user permission checks were performed before rendering the listing content. This allowed unauthenticated users to access potentially sensitive listing details.

Exploitation:
Attackers can exploit this vulnerability by sending a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `awpcp-generate-listing-preview`. The request must include the `ad_id` parameter containing the numeric ID of any existing listing. The vulnerable endpoint returns the full rendered content of the specified listing, which may contain sensitive user information, contact details, or configuration data. No authentication or nonce is required.

Patch Analysis:
The patch in version 4.4.4 adds comprehensive authorization checks to the listing preview generation process. The `ajax()` method now calls `try_to_generate_listing_preview()` (lines 51-71), which performs two critical validations. First, it verifies a nonce parameter against `awpcp-save-listing-information-{$listing->ID}` (line 69). Second, it calls `is_current_user_allowed_to_preview_listing()` (lines 73-90) to check user permissions. This method allows previews only for logged-in users with edit permissions or for auto-draft listings. The patch also adds the missing `ListingAuthorization` dependency to the handler’s constructor.

Impact:
Successful exploitation allows unauthenticated attackers to extract sensitive information from any listing in the system. This includes user contact information, email addresses, phone numbers, physical addresses, and potentially confidential business details. The exposed data could facilitate social engineering attacks, spam campaigns, or identity theft. With a CVSS score of 5.3, this represents a moderate risk to data confidentiality.