CVE-2026-9184
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
The 24liveblog plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the update_lb24_token() AJAX function. Attackers with author-level access can overwrite user meta values and site-wide options of the plugin.
Risk Assessment
The organization may be exposed to hijacking of the plugin's integration with the 24liveblog service, potentially leading to unauthorized access to user data, including administrators.
Recommendation
It is recommended to update the 24liveblog plugin to the latest version to mitigate this vulnerability and implement additional capability checks in the update_lb24_token() function.
Original NVD description (English source)
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.

