CVE-2026-0717 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the LottieFiles – Lottie block for Gutenberg WordPress plugin. This plugin integrates Lottie animations into WordPress sites. The vulnerability exists in all versions up to and including 3.0.0 and is exploitable via the REST API endpoint /wp-json/lottiefiles/v1/settings/. When the plugin's 'Share LottieFiles account with other WordPress users' feature is enabled, the endpoint inadvertently exposes the site owner's LottieFiles.com account credentials, including the API access token and email address, to unauthenticated users. The API token is a sensitive credential that can allow attackers to perform actions on behalf of the legitimate user within the LottieFiles platform, potentially leading to unauthorized content manipulation or data access. The vulnerability requires no authentication or user interaction, making it accessible to any remote attacker. However, it does not affect the confidentiality, integrity, or availability of the WordPress site itself, only the linked LottieFiles account. No patches or fixes are currently linked, and no active exploitation has been reported. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation but limited scope of impact. This vulnerability highlights the risks of exposing third-party service credentials through WordPress plugins and the importance of secure API endpoint design.

For European organizations, the exposure of LottieFiles API credentials can lead to unauthorized access to their LottieFiles accounts, which may allow attackers to manipulate or misuse animation assets used on websites or digital marketing materials. While this does not directly compromise the WordPress site’s core security, it can result in reputational damage, unauthorized content changes, or potential leakage of additional linked data within the LottieFiles platform. Organizations relying heavily on Lottie animations for branding or customer engagement may face disruption or misuse of their digital assets. Additionally, if attackers leverage the exposed credentials to conduct further attacks or phishing campaigns targeting the organization’s users or partners, the impact could escalate. The vulnerability’s ease of exploitation and lack of required authentication increase the risk, especially for organizations with multiple WordPress users sharing the LottieFiles account. However, since no known exploits are currently active, the immediate risk is moderate but should be addressed promptly to prevent future abuse.

European organizations should immediately audit their WordPress installations to identify the presence of the LottieFiles – Lottie block for Gutenberg plugin and verify the plugin version. If the version is 3.0.0 or earlier, they should disable the 'Share LottieFiles account with other WordPress users' option to prevent exposure of credentials. Until an official patch is released, restricting access to the /wp-json/lottiefiles/v1/settings/ REST API endpoint via web application firewalls or custom access controls can reduce exposure. Organizations should also rotate their LottieFiles API tokens to invalidate any potentially compromised credentials. Monitoring LottieFiles account activity for unauthorized actions is recommended. Additionally, implementing strict role-based access controls within WordPress to limit who can enable or modify plugin settings can reduce risk. Finally, organizations should subscribe to security advisories from the plugin vendor and apply updates promptly once a fix is available.