24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action
Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=2.2
Patches
Vulnerability mechanics
Root cause
"Missing capability and ownership checks in the update_lb24_token() AJAX handler allow any authenticated user with block editor access to overwrite arbitrary user meta and site options."
Attack vector
An authenticated attacker with author-level access or higher can craft a POST request to the `wp_ajax_update_lb24_token` action. The handler only checks the `lb24` nonce (which is exposed to any user with block editor access via `lb24_settings_assets()`) and does not verify that the supplied `user_id` parameter belongs to the current user or that the user has the required capabilities. By providing an arbitrary `user_id` and attacker-controlled token values (`user_token`, `user_uid`, `user_refresh_token`, `user_uname`), the attacker overwrites both the targeted user's meta fields and the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
Affected code
The vulnerability resides in the `update_lb24_token()` AJAX handler defined in `plugin.php`. The function is registered via `wp_ajax_update_lb24_token` and lacks any capability or ownership check — it only verifies the `lb24` nonce via `check_ajax_referer`. The `lb24_settings_assets()` function localizes this nonce to any user with block editor access, making it available to authenticated attackers with author-level access and above.
What the fix does
The patch does not show a fix; the provided references are all the same vulnerable version of `plugin.php`. The advisory states that the fix should add a capability check (e.g., `current_user_can('manage_options')`) and verify that the supplied `user_id` matches the current user's ID before performing the update operations. Without these checks, any authenticated user with block editor access can overwrite arbitrary user meta and site options.
Preconditions
- authThe attacker must be an authenticated WordPress user with at least author-level access (block editor access).
- inputThe attacker must know or obtain the 'lb24' nonce, which is localized to any user with block editor access via lb24_settings_assets().
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.phpmitre
- plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.phpmitre
- plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.phpmitre
- plugins.trac.wordpress.org/browser/24liveblog/trunk/plugin.phpmitre
- plugins.trac.wordpress.org/browser/24liveblog/trunk/src/init.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/a7f22854-049a-4b4f-a448-13c416e0a6b7mitre
News mentions
0No linked articles in our index yet.