cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches for24liveblog 24liveblog

Direction: descending
Jun 25, 2026

24liveblog – live blog tool # CVE-2026-9184

CVE, Research URL

CVE-2026-9184

Home page URL

Security reports for 24liveblog – live blog tool

Application

24liveblog – live blog tool

Date
Jun 24, 2026
Research Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
Affected versions
max 2.2.
Status
vulnerable

24liveblog – live blog tool # CVE-2026-9183

CVE, Research URL

CVE-2026-9183

Home page URL

Security reports for 24liveblog – live blog tool

Application

24liveblog – live blog tool

Date
Jun 24, 2026
Research Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.
Affected versions
max 2.2.
Status
vulnerable