CVE-2026-9184

The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update lb24 token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24 block enqueue scripts()) and does not verify the user's capabilities or that the supplied user id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24 token, lb24 uid, lb24 refresh token, and lb24 uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.