[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEK9ZJjMjVrnnJmhnzLjWn7LzkwktGgxoPDelTiZZwHg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-9184","24liveblog-missing-authorization-to-authenticated-author-settings-modification-via-updatelb24token-ajax-action","24liveblog \u003C= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action","The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce (which is generated and localized to any user with block editor access via lb24_block_enqueue_scripts()) and does not verify the user's capabilities or that the supplied user_id belongs to the current user. This makes it possible for authenticated attackers, with author-level access and above, to overwrite the lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname user meta values of any user (including administrators) as well as the corresponding site-wide options, effectively hijacking the plugin's integration with the 24liveblog service.","24liveblog",null,"\u003C=2.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-23 16:39:07","2026-06-24 05:33:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa7f22854-049a-4b4f-a448-13c416e0a6b7?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate the missing authorization vulnerability in the **24liveblog** plugin (\u003C= 2.2). An authenticated attacker with Author-level permissions can overwrite sensitive plugin settings for any user (including administrators) and site-wide options.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization to Authenticated (Author+) Settings Modification.\n*   **Vulnerable Function:** `update_lb24_token()` (AJAX handler).\n*   **Vulnerable Hook:** `wp_ajax_update_lb24_token`.\n*   **Root Cause:** The handler `update_lb24_token()` verifies a nonce (`lb24`) but fails to perform a capability check (e.g., `current_user_can('manage_options')`). Furthermore, it accepts a `user_id` parameter from the request and uses it to update user meta without verifying that the `user_id` matches the requester's ID.\n*   **Impact:** An Author can hijack the 24liveblog integration for the entire site and specifically for administrative users by overwriting API tokens and user identifiers.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `update_lb24_token`\n*   **Method:** `POST`\n*   **Authentication:** Authenticated, minimum role: **Author** (any user with access to the block editor).\n*   **Payload Parameters:**\n    *   `action`: `update_lb24_token`\n    *   `lb24`: The nonce value (extracted from the block editor).\n    *   `user_id`: The ID of the target user (e.g., `1` for the primary administrator).\n    *   `token`: The new `lb24_token`.\n    *   `uid`: The new `lb24_uid`.\n    *   `refresh_token`: The new `lb24_refresh_token`.\n    *   `uname`: The new `lb24_uname`.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the AJAX action via `add_action( 'wp_ajax_update_lb24_token', 'update_lb24_token' )`.\n2.  **Nonce Generation:** In `lb24_block_enqueue_scripts()`, the plugin generates a nonce using `wp_create_nonce('lb24')` and localizes it for use in the Gutenberg block editor.\n3.  **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with `action=update_lb24_token`.\n4.  **Verification:** The function `update_lb24_token()` calls `check_ajax_referer('lb24', 'lb24')`. This succeeds if the user has access to the block editor (Author+).\n5.  **Sink:** The function retrieves `$_POST['user_id']` and updates both site options and user meta:\n    *   `update_option('lb24_token', $_POST['token'])`\n    *   `update_user_meta($_POST['user_id'], 'lb24_token', $_POST['token'])`\n    *   (Similar updates for `lb24_uid`, `lb24_refresh_token`, and `lb24_uname`).\n\n### 4. Nonce Acquisition Strategy\nThe `lb24` nonce is localized for the block editor. To obtain it:\n1.  **Login** as the Author user.\n2.  **Create\u002FEdit a Post:** Navigate to the Gutenberg editor (`\u002Fwp-admin\u002Fpost-new.php` or edit an existing post).\n3.  **Extract:** Use `browser_eval` to find the localized variable. Based on common plugin patterns and the function name `lb24_block_enqueue_scripts`, the variable is likely named `lb24_data` or similar.\n    *   Target JS: `window.lb24_data?.nonce` (inferred).\n    *   Alternative: Search the page source for the string `\"lb24\"` within a JSON object.\n\n### 5. Exploitation Strategy\n1.  **Setup:** Create an Author user and identify the Administrator's ID (typically 1).\n2.  **Acquire Nonce:**\n    *   Navigate to the WordPress dashboard as the Author.\n    *   Create a new post to load the Block Editor.\n    *   Extract the `lb24` nonce from the global JS context.\n3.  **Execute Exploit:**\n    *   Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the `http_request` tool.\n    *   **Payload:**\n        ```\n        action=update_lb24_token&lb24=[NONCE]&user_id=1&token=pwned_token&uid=pwned_uid&refresh_token=pwned_refresh&uname=pwned_name\n        ```\n4.  **Verify Hijack:** Check if the site-wide options and the Administrator's meta values have changed.\n\n### 6. Test Data Setup\n1.  **Admin User:** Already exists (ID 1).\n2.  **Author User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password\n    ```\n3.  **Post for Context:**\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Nonce Source\" --post_author=[ATTACKER_ID]\n    ```\n\n### 7. Expected Results\n*   The AJAX request should return a successful response (likely `1` or a JSON success message).\n*   The WordPress database will now contain the \"pwned\" values for both the global options and the administrator's specific meta keys.\n\n### 8. Verification Steps\nAfter the exploit, use WP-CLI to verify the changes:\n1.  **Check Site Options:**\n    ```bash\n    wp option get lb24_token\n    wp option get lb24_uid\n    ```\n2.  **Check Admin User Meta:**\n    ```bash\n    wp user meta get 1 lb24_token\n    wp user meta get 1 lb24_uid\n    ```\n3.  **Expected Outcome:** Both commands should return `pwned_token` and `pwned_uid` respectively, proving that the Author modified Admin\u002FGlobal data.\n\n### 9. Alternative Approaches\n*   **Site-wide Hijack only:** If `user_id` is somehow validated (unlikely based on the CVE description), the exploit still functions to overwrite site-wide `options` which controls the plugin's behavior for all visitors.\n*   **Targeting Other Users:** The exploit can be repeated with different `user_id` values to overwrite tokens for every Editor or Admin on the site.\n*   **Parameter Guessing:** If the localized object name is not `lb24_data`, use `browser_eval(\"Object.keys(window).filter(k => k.toLowerCase().includes('lb24'))\")` to find the correct configuration object.","The 24liveblog plugin for WordPress is vulnerable to unauthorized data modification via the update_lb24_token AJAX action. Authenticated attackers with Author-level access can overwrite site-wide API credentials and user-specific metadata for any user, including administrators, because the function fails to perform capability checks or validate the target user ID.","\u002F* Inferred from plugin version 2.2 AJAX handler registration *\u002F\nadd_action( 'wp_ajax_update_lb24_token', 'update_lb24_token' );\n\nfunction update_lb24_token() {\n    check_ajax_referer('lb24', 'lb24');\n\n    $user_id = $_POST['user_id'];\n    $token = $_POST['token'];\n    $uid = $_POST['uid'];\n    $refresh_token = $_POST['refresh_token'];\n    $uname = $_POST['uname'];\n\n    update_option('lb24_token', $token);\n    update_option('lb24_uid', $uid);\n    update_option('lb24_refresh_token', $refresh_token);\n    update_option('lb24_uname', $uname);\n\n    update_user_meta($user_id, 'lb24_token', $token);\n    update_user_meta($user_id, 'lb24_uid', $uid);\n    update_user_meta($user_id, 'lb24_refresh_token', $refresh_token);\n    update_user_meta($user_id, 'lb24_uname', $uname);\n\n    wp_die();\n}","--- a\u002F24liveblog.php\n+++ b\u002F24liveblog.php\n@@ -1,5 +1,9 @@\n function update_lb24_token() {\n     check_ajax_referer('lb24', 'lb24');\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n+\n     $user_id = $_POST['user_id'];\n     $token = $_POST['token'];","The exploit targets the 'wp_ajax_update_lb24_token' endpoint. An attacker with Author-level permissions logs into the WordPress dashboard and accesses the block editor to extract the 'lb24' nonce from the localized JavaScript data. The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action set to 'update_lb24_token', the stolen nonce, and a 'user_id' parameter set to the ID of a target user (e.g., 1 for administrator). The payload includes malicious strings for 'token', 'uid', 'refresh_token', and 'uname', which the plugin then saves to both site-wide options and the targeted user's metadata without authorization.","gemini-3-flash-preview","2026-06-25 19:30:54","2026-06-25 19:31:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002F24liveblog\u002Ftags"]