CVE-2026-9183 MEDIUM

CVE-2026-9183: 24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Block Editor Script Localization

Vendor 24Liveblog
Product 24liveblog – live blog tool
Weakness CWE-200 · Info exposure
Published June 24, 2026
Last update June 29, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.

Explanation of Vulnerability in Simple Terms

02Summary

24liveblog versions 2.2 and earlier expose sensitive information to authenticated users. A logged-in user with low privileges can read data they should not have access to. The exposure is limited to confidentiality; the vulnerability does not allow modification or deletion of data. Update to a version newer than 2.2.

What an attacker can do

03Attacker Capabilities

Read sensitive information accessible only to higher-privileged users.

Potential impact on your site

04Site Impact

Authenticated users can view private or restricted content they shouldn't access.

Conditions required to exploit

05Prerequisites

Attacker must have a valid login account with low-level privileges.

Key dates

06Disclosure timeline

June 24, 2026 CVE published
June 29, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2019-0040 Junos OS: Specially crafted packets sent to port 111 on any interface triggers responses from the management interface CVE-2025-2228 Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.8 - Authenticated (Contributor+) Sensitive Information Exposure CVE-2017-6644 CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php CVE-2024-3656 Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities