CVE-2026-0717 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the LottieFiles – Lottie block for Gutenberg WordPress plugin. This plugin integrates Lottie animations into WordPress sites using Gutenberg blocks. The vulnerability exists in all versions up to and including 3.0.0 and is exploitable via the plugin's REST API endpoint at /wp-json/lottiefiles/v1/settings/. When the plugin's 'Share LottieFiles account with other WordPress users' option is enabled, the endpoint inadvertently exposes sensitive credentials, including the site owner's LottieFiles.com API access token and email address, to unauthenticated attackers. This means that any remote attacker can query this endpoint without authentication or user interaction and retrieve these credentials. The API token can potentially be used to perform unauthorized actions on the victim's LottieFiles account, such as accessing or modifying animations, or abusing API limits. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. While no public exploits have been reported yet, the ease of access and sensitive nature of the exposed data make this a significant risk for affected WordPress sites. The vulnerability highlights the risks of exposing sensitive configuration data via REST API endpoints without proper access controls.

The primary impact of CVE-2026-0717 is the unauthorized disclosure of sensitive credentials, specifically the LottieFiles.com API token and email address associated with the site owner's account. This can lead to several adverse consequences for organizations: unauthorized access to the LottieFiles account, which may allow attackers to manipulate or steal animation assets, consume API quotas, or perform actions that could lead to reputational damage or service disruption. Additionally, the exposure of the email address may facilitate targeted phishing or social engineering attacks. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of widespread credential leakage. Organizations relying on LottieFiles for critical website animations or integrations may face operational disruptions or data integrity issues if attackers misuse the exposed credentials. Furthermore, compromised API tokens could be leveraged as a foothold for further attacks within the organization's digital ecosystem if linked accounts or automation workflows exist. Overall, the vulnerability poses a moderate risk to confidentiality and potentially to the integrity of the LottieFiles-related assets and services.

To mitigate CVE-2026-0717, organizations should immediately assess whether the 'Share LottieFiles account with other WordPress users' option is enabled in their LottieFiles – Lottie block for Gutenberg plugin settings. If enabled, disable this feature until a patched version is available. Since no patch links are currently provided, consider temporarily removing or deactivating the plugin to prevent exposure. Monitor the /wp-json/lottiefiles/v1/settings/ endpoint for unauthorized access attempts using web server logs or security monitoring tools. Rotate the LottieFiles API access tokens associated with affected accounts to invalidate any potentially compromised credentials. Implement strict access controls and authentication checks on REST API endpoints to prevent unauthenticated access to sensitive data. Additionally, review and restrict permissions for WordPress users who can modify plugin settings to reduce insider risks. Stay updated with vendor advisories for official patches or updates addressing this vulnerability and apply them promptly once available. Employ web application firewalls (WAFs) to block suspicious requests targeting the vulnerable endpoint as an interim protective measure.