CVE-2026-9183

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24 block enqueue scripts() function being hooked to enqueue block editor assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24 token, lb24 refresh token, lb24 uid, lb24 uname) from the options table via get option() and emitting them through wp localize script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.