Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (Wordfence) · only source for this CVE.
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
AnalysisAI
Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum author-level role, which grants block editor access and thereby automatic receipt of the lb24 nonce via the lb24_block_enqueue_scripts() enqueue hook. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) scores 4.3, reflecting a real but constrained risk: the attack is network-accessible with no complexity and requires only low-privilege (author-level) authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An author-level user on a multi-author WordPress site loads the block editor (triggering nonce issuance via lb24_block_enqueue_scripts()), extracts the lb24 nonce from the page source, then submits a crafted wp_ajax_ POST request to update_lb24_token() specifying an administrator's user_id along with attacker-controlled token values. The handler accepts the request, overwrites the administrator's lb24_token and lb24_uid user meta as well as the site-wide 24liveblog options, effectively substituting the attacker's 24liveblog account credentials for the site's integration. |
| Remediation | No vendor-released patch version is identified at time of analysis - the Wordfence advisory and plugin trac references point to vulnerable trunk code with no corresponding fixed release documented in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in 24Liveblog Live Blog Tool
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38673
GHSA-hwxf-h8x7-c976