Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The 24liveblog plugin for WordPress has a missing authorization check in its update_lb24_token() AJAX handler. The function verifies only a nonce that is generated for any block editor user, but it does not confirm that the caller has sufficient capabilities or that the supplied user_id matches the current user. Because of this, any authenticated user with author role or higher can overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields of any user, including administrators, as well as the related sitewide options. The attacker can thus hijack the integration with the external 24liveblog service, potentially gaining further access to or manipulation of the service’s content.

Affected Systems

Installations of the 24liveblog WordPress plugin version 2.2 or earlier are affected. The vulnerability originates in PHP code files exposed in the plugin’s source, as highlighted in the provided URLs.

Risk and Exploitability

The CVSS base score is 4.3, assigning this flaw a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating a lower current exploitation probability. Nonetheless, the attack requires only author‑level or higher credentials and is straightforward: an attacker can invoke the AJAX endpoint and overwrite any user’s plugin metadata. The root cause is a missing capability check, which permits privilege escalation and data tampering.

Generated by OpenCVE AI on June 24, 2026 at 09:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 24liveblog plugin to a release newer than 2.2 where the capability check has been added to the update_lb24_token() action.
  • If an immediate upgrade is not possible, temporarily disable the update_lb24_token() AJAX handler or deactivate the plugin until a patch can be applied.
  • Alternatively modify the plugin to include a capability check (for example, current_user_can('edit_posts')) and verify that the supplied user_id equals get_current_user_id() before performing any metadata updates.

Generated by OpenCVE AI on June 24, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
Title 24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:27.676Z

Reserved: 2026-05-21T14:55:58.925Z

Link: CVE-2026-9184

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses