CVE-2026-9183
Deferred Deferred - Pending Action

Exposure of Sensitive Information in 24liveblog WordPress Plugin

Vulnerability report for CVE-2026-9183, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-29

Assigner: Wordfence

Description

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-29
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
24liveblog live_blog_tool to 2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The 24liveblog WordPress plugin (up to version 2.2) has a vulnerability where sensitive integration secrets are exposed to users with contributor-level access or higher.

This happens because the function lb24_block_enqueue_scripts() is hooked to enqueue_block_editor_assets and, for non-administrator users, it loads administrator-configured 24liveblog credentials from the options table and exposes them via JavaScript on the block editor page.

As a result, authenticated attackers with contributor or higher privileges can extract API tokens and other sensitive account credentials simply by opening the block editor and inspecting the page source.

Impact Analysis

This vulnerability allows attackers with contributor-level access or above to obtain sensitive third-party 24liveblog account credentials, including API tokens and refresh tokens.

With these credentials, attackers could potentially misuse the 24liveblog integration, leading to unauthorized actions or data exposure related to the third-party service.

The CVSS score of 4.3 indicates a low to medium severity impact, primarily involving confidentiality loss without affecting integrity or availability.

Detection Guidance

This vulnerability can be detected by verifying if the 24liveblog plugin version is up to and including 2.2 and by checking if sensitive 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) are exposed in the block editor page source.

To detect exploitation, an authenticated user with contributor-level access or higher can open the WordPress block editor and inspect the page source for the presence of the JavaScript object lb24BlockData containing sensitive tokens.

No specific commands are provided in the available resources to detect this vulnerability on the network or system.

Mitigation Strategies

Immediate mitigation steps include updating the 24liveblog plugin to a version later than 2.2 where this vulnerability is fixed.

Additionally, restrict contributor-level and higher user access to the block editor if possible, until the plugin is updated.

Review and rotate any exposed 24liveblog API tokens and refresh tokens to prevent unauthorized access.

Compliance Impact

This vulnerability allows authenticated users with contributor-level access or higher to extract sensitive third-party 24liveblog account credentials, including API tokens and refresh tokens, by inspecting the block editor page source.

Exposure of such sensitive information could potentially lead to unauthorized access or misuse of data, which may impact compliance with data protection regulations such as GDPR or HIPAA that require safeguarding sensitive information.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart