The 24liveblog plugin exposes the 24liveblog integration secrets (API token, refresh token, user ID, and username) to any authenticated user with contributor-level access or higher. The vulnerability occurs because the lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, falls back to loading the administrator‑configured site‑wide secrets from the options table and then emits them through wp_localize_script() as a JavaScript object. As a result, an authenticated attacker can open the block editor, view the page source, and extract the third‑party 24liveblog account credentials, allowing potential further compromise of the external 24liveblog service. The flaw represents a classic exposure of sensitive information (CWE‑200) and primarily threatens confidentiality of third‑party API tokens.

The affected product is the 24liveblog live blog tool plugin for WordPress. Versions up to and including 2.2 are impacted. WordPress sites that have installed this plugin and granted contributor-level or higher access to users are vulnerable. No other vendors or products are listed.

The CVSS score of 4.3 indicates moderate severity, reflecting the requirement for authenticated access and lack of memory corruption or code execution. The EPSS score is not available, but the KEV listing shows the vulnerability is not yet in CISA’s Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by simply logging into the site with contributor or higher privileges, opening the block editor, and inspecting the page source to retrieve the secrets. The attack surface is limited to authenticated users with contributor access and does not require any external network reachability.