CVE-2026-0717
📋 TL;DR
The LottieFiles WordPress plugin exposes sensitive account credentials through an unauthenticated REST API endpoint. Unauthenticated attackers can retrieve the site owner's LottieFiles.com API token and email address when the 'Share account' option is enabled. All WordPress sites using this plugin up to version 3.0.0 are affected.
💻 Affected Systems
- LottieFiles – Lottie block for Gutenberg WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to the LottieFiles.com account, potentially compromising associated assets, billing information, and using the API token for unauthorized actions.
Likely Case
Attackers harvest API tokens for credential reuse attacks, potentially accessing other services or performing unauthorized API calls against LottieFiles.com.
If Mitigated
Limited exposure if the 'Share account' option is disabled, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Simple HTTP GET request to /wp-json/lottiefiles/v1/settings/ endpoint when vulnerable configuration is present.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3088478/lottiefiles/trunk/src/common.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'LottieFiles – Lottie block for Gutenberg'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.0.1+ from WordPress plugin repository.
🔧 Temporary Workarounds
Disable Account Sharing
allTurn off the vulnerable 'Share account' option in plugin settings
Block REST API Endpoint
linuxUse web application firewall or .htaccess to block access to /wp-json/lottiefiles/v1/settings/
# Apache .htaccess
RewriteEngine On
RewriteRule ^wp-json/lottiefiles/v1/settings/ - [F,L]
🧯 If You Can't Patch
- Disable the LottieFiles plugin completely
- Implement network-level blocking of the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if plugin version ≤3.0.0 is installed and if GET request to /wp-json/lottiefiles/v1/settings/ returns sensitive credentials.Check Version:
wp plugin list --name=lottiefiles --field=versionVerify Fix Applied:
Confirm plugin version is ≥3.0.1 and the same endpoint no longer returns credentials without authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to /wp-json/lottiefiles/v1/settings/ from unauthenticated users
- Multiple failed authentication attempts following credential exposure
Network Indicators:
- Unusual outbound connections to LottieFiles.com API from unexpected sources
- Spike in requests to WordPress REST API endpoints
SIEM Query:
source="wordpress.log" AND uri_path="/wp-json/lottiefiles/v1/settings/" AND http_method=GET AND user="-"