cleantalk
Vulnerabilities and Security Researches

24liveblog – live blog tool, CVE-2026-9183

CVE, Research URL

CVE-2026-9183

Home page URL

Security reports for 24liveblog – live blog tool

Application

24liveblog – live blog tool

Published on
Jun 24, 2026
Research Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.
Affected versions
max 2.2.
Status
vulnerable
Previous vulnerability researches
24liveblog – live blog tool (CVE-2026-9184) , Jun 25, 2026
24liveblog – live blog tool (CVE-2026-9183) , Jun 25, 2026
New vulnerability
Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking (CVE-2026-12937) , Jun 26, 2026
WP Meta SEO (CVE-2026-9643) , Jun 25, 2026
WP Meta SEO (CVE-2026-11370) , Jun 25, 2026
Bulk SEO Image (CVE-2026-11997) , Jun 25, 2026
URL Preview (CVE-2026-12100) , Jun 25, 2026