Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-9183— 24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Block Editor Script Localization

CVSS 4.3 · Medium EPSS 0.21% · P11

Possible ATT&CK Techniques 1AI

T1530 · Data from Cloud Storage

Affected Version Matrix 1

VendorProductVersion RangeStatus
24liveblog24liveblog – live blog tool≤ 2.2affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-9183

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Block Editor Script Localization
Source: NVD (National Vulnerability Database)
Vulnerability Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function being hooked to enqueue_block_editor_assets and, for any non-administrator user, falling back to loading the administrator-configured site-wide 24liveblog integration secrets (lb24_token, lb24_refresh_token, lb24_uid, lb24_uname) from the options table via get_option() and emitting them through wp_localize_script() as the lb24BlockData JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract third-party 24liveblog account credentials (including the API token and refresh token) by simply opening the block editor and inspecting the page source.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
24liveblog 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
24liveblog 24liveblog是24liveblog个人开发者的一个实时博客平台组件。 24liveblog 2.2及之前版本存在信息泄露漏洞,该漏洞源于lb24_block_enqueue_scripts()函数在加载编辑资源时,对非管理员用户降级使用get_option()加载管理员配置的站点级24liveblog集成密钥(lb24_token, lb24_refresh_token, lb24_uid, lb24_uname)并通过wp_localize_script()作为lb24Bl
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
24liveblog24liveblog – live blog tool 0 ~ 2.2 -

II. Public POCs for CVE-2026-9183

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-9183

登录查看更多情报信息。

Patches & Fixes for CVE-2026-9183 (1)

News Coverage for CVE-2026-9183 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-9183

No comments yet


Leave a comment