CVE-2026-9183
Received Received - Intake
Exposure of Sensitive Information in 24liveblog WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-9183
EUVD
EUVD-2026-38681
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
24liveblog live_blog_tool to 2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The 24liveblog WordPress plugin (up to version 2.2) has a vulnerability where sensitive integration secrets are exposed to users with contributor-level access or higher.

This happens because the function lb24_block_enqueue_scripts() is hooked to enqueue_block_editor_assets and, for non-administrator users, it loads administrator-configured 24liveblog credentials from the options table and exposes them via JavaScript on the block editor page.

As a result, authenticated attackers with contributor or higher privileges can extract API tokens and other sensitive account credentials simply by opening the block editor and inspecting the page source.

Impact Analysis

This vulnerability allows attackers with contributor-level access or above to obtain sensitive third-party 24liveblog account credentials, including API tokens and refresh tokens.

With these credentials, attackers could potentially misuse the 24liveblog integration, leading to unauthorized actions or data exposure related to the third-party service.

The CVSS score of 4.3 indicates a low to medium severity impact, primarily involving confidentiality loss without affecting integrity or availability.

Detection Guidance

This vulnerability can be detected by verifying if the 24liveblog plugin version is up to and including 2.2 and by checking if sensitive 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) are exposed in the block editor page source.

To detect exploitation, an authenticated user with contributor-level access or higher can open the WordPress block editor and inspect the page source for the presence of the JavaScript object lb24BlockData containing sensitive tokens.

No specific commands are provided in the available resources to detect this vulnerability on the network or system.

Mitigation Strategies

Immediate mitigation steps include updating the 24liveblog plugin to a version later than 2.2 where this vulnerability is fixed.

Additionally, restrict contributor-level and higher user access to the block editor if possible, until the plugin is updated.

Review and rotate any exposed 24liveblog API tokens and refresh tokens to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart