Skip to main content

24liveblog Plugin CVE-2026-9184

| EUVDEUVD-2026-38673 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-hwxf-h8x7-c976
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from Vendor (Wordfence) · only source for this CVE.

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:58 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 4.3

DescriptionCVE.org

The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.

AnalysisAI

Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress author
Delivery
Load block editor to receive lb24 nonce
Exploit
Extract nonce from enqueued script data
Execution
Craft AJAX POST to update_lb24_token() with victim user_id
Persist
Handler overwrites victim's 24liveblog user meta and site options
Impact
24liveblog service integration hijacked under attacker credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum author-level role, which grants block editor access and thereby automatic receipt of the lb24 nonce via the lb24_block_enqueue_scripts() enqueue hook. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) scores 4.3, reflecting a real but constrained risk: the attack is network-accessible with no complexity and requires only low-privilege (author-level) authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An author-level user on a multi-author WordPress site loads the block editor (triggering nonce issuance via lb24_block_enqueue_scripts()), extracts the lb24 nonce from the page source, then submits a crafted wp_ajax_ POST request to update_lb24_token() specifying an administrator's user_id along with attacker-controlled token values. The handler accepts the request, overwrites the administrator's lb24_token and lb24_uid user meta as well as the site-wide 24liveblog options, effectively substituting the attacker's 24liveblog account credentials for the site's integration.
Remediation No vendor-released patch version is identified at time of analysis - the Wordfence advisory and plugin trac references point to vulnerable trunk code with no corresponding fixed release documented in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy