cleantalk
Vulnerabilities and Security Researches

24liveblog – live blog tool, CVE-2026-9184

CVE, Research URL

CVE-2026-9184

Home page URL

Security reports for 24liveblog – live blog tool

Application

24liveblog – live blog tool

Published on
Jun 24, 2026
Research Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
Affected versions
max 2.2.
Status
vulnerable
Previous vulnerability researches
24liveblog – live blog tool (CVE-2026-9184) , Jun 25, 2026
24liveblog – live blog tool (CVE-2026-9183) , Jun 25, 2026
New vulnerability
Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking (CVE-2026-12937) , Jun 26, 2026
WP Meta SEO (CVE-2026-9643) , Jun 25, 2026
WP Meta SEO (CVE-2026-11370) , Jun 25, 2026
Bulk SEO Image (CVE-2026-11997) , Jun 25, 2026
URL Preview (CVE-2026-12100) , Jun 25, 2026