CVE-2026-0717
Sensitive Information Exposure in LottieFiles Gutenberg Plugin API
Publication date: 2026-01-14
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lottiefiles | lottie_block_for_gutenberg | to 3.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive information such as the site owner's LottieFiles.com account credentials, including API access tokens and email addresses, to unauthenticated attackers. Such exposure of personal and authentication data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by risking unauthorized disclosure of protected data. [2]
Can you explain this vulnerability to me?
This vulnerability exists in the LottieFiles β Lottie block for Gutenberg WordPress plugin (up to version 3.0.0) and involves sensitive information exposure via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. Because the REST API endpoints have no authentication or permission checks (permission_callback always returns true), unauthenticated attackers can access the site owner's LottieFiles.com account credentials, including their API access token and email address, if the 'Share LottieFiles account with other WordPress users' option is enabled. This happens because the plugin exposes privileged configuration data without proper access controls. [2]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to retrieve sensitive account credentials such as API access tokens and email addresses associated with the LottieFiles.com account of the site owner. This could lead to unauthorized access to the LottieFiles account, potential misuse of API access, and compromise of the site's integration with LottieFiles services. Additionally, because the REST API endpoints allow modification and deletion of configuration data without authentication, attackers could alter or delete plugin settings, potentially disrupting site functionality or escalating privileges. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the vulnerable REST API endpoint `/wp-json/lottiefiles/v1/settings/` is accessible without authentication. For example, you can use the following curl command to see if sensitive information is exposed: curl -X GET https://your-wordpress-site.com/wp-json/lottiefiles/v1/settings/ If the response contains LottieFiles.com account credentials such as API tokens or email addresses, the site is vulnerable. Additionally, monitoring HTTP requests to this endpoint for unauthorized access attempts can help detect exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the `/wp-json/lottiefiles/v1/settings/` REST API endpoint to prevent unauthenticated access. This can be done by applying authentication or capability checks to the endpoint or by disabling the LottieFiles β Lottie block for Gutenberg plugin until a patched version is available. Also, review and disable the 'Share LottieFiles account with other WordPress users' option if enabled, as it contributes to the exposure of sensitive credentials. [2]