CVE Catalog

CVE-2026-9183

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

The 24liveblog plugin for WordPress up to version 2.2 exposes sensitive 24liveblog account credentials (API token, refresh token, user ID, and username) to any authenticated user with contributor-level access or higher. This occurs because the lb24_block_enqueue_scripts() function emits these secrets via wp_localize_script() as the lb24BlockData JavaScript object when loading the block editor.

Risk Assessment

An attacker with low privileges (contributor) can take over the victim's 24liveblog account, gaining API access and potentially modifying or stealing live broadcast content, compromising data confidentiality and integrity.

Recommendation

Immediately update the 24liveblog plugin to the latest available version that fixes this vulnerability. If no update is available, temporarily restrict block editor access to administrators only or disable the plugin.

Original NVD description (English source)

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS