Skip to main content

24Liveblog Live Blog Tool

2 CVEs product

Monthly

CVE-2026-9183 MEDIUM This Month

Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.

Information Disclosure WordPress 24Liveblog Live Blog Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9184 MEDIUM This Month

Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.

Authentication Bypass WordPress 24Liveblog Live Blog Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.

Information Disclosure WordPress 24Liveblog Live Blog Tool
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.

Authentication Bypass WordPress 24Liveblog Live Blog Tool
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy