CVE-2026-0717 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the LottieFiles – Lottie block for Gutenberg WordPress plugin. This plugin integrates Lottie animations into WordPress sites using Gutenberg blocks. The vulnerability exists in all versions up to and including 3.0.0 and is exploitable via the plugin's REST API endpoint at /wp-json/lottiefiles/v1/settings/. When the plugin's 'Share LottieFiles account with other WordPress users' feature is enabled, this endpoint inadvertently exposes sensitive data such as the site owner's LottieFiles.com account email and API access token. The API token is a critical credential that could allow attackers to interact with the LottieFiles service on behalf of the user, potentially leading to unauthorized content manipulation or data leakage. The flaw requires no authentication or user interaction, making it accessible to any remote attacker who can reach the WordPress REST API. The vulnerability does not affect the confidentiality of the WordPress site itself beyond the LottieFiles credentials, nor does it impact site integrity or availability directly. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patches or fixes have been published at the time of disclosure, and no active exploitation has been reported. Organizations using this plugin should consider disabling the vulnerable feature or restricting access to the REST API endpoint until a patch is available.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of LottieFiles account credentials linked to their WordPress sites. Unauthorized access to the API token could allow attackers to misuse the LottieFiles account, potentially injecting malicious animations or extracting proprietary animation data. While this does not directly compromise the WordPress site’s core data or availability, it could lead to reputational damage, especially for organizations relying on Lottie animations for customer-facing content. Additionally, if attackers leverage the exposed credentials to conduct further attacks or phishing campaigns, it could escalate the impact. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if sensitive account information is leaked. The vulnerability's ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic attacks, particularly against high-profile or high-traffic websites using this plugin. However, the absence of known exploits in the wild and the medium severity rating suggest the immediate risk is moderate but should not be ignored.

European organizations should take immediate steps to mitigate this vulnerability. First, audit all WordPress sites using the LottieFiles – Lottie block for Gutenberg plugin to identify affected versions (up to 3.0.0). If the 'Share LottieFiles account with other WordPress users' option is enabled, consider disabling this feature until a patch is released. Restrict access to the WordPress REST API endpoint /wp-json/lottiefiles/v1/settings/ by implementing IP whitelisting or authentication proxies to prevent unauthenticated external access. Monitor web server logs for unusual requests to this endpoint that could indicate exploitation attempts. Rotate the LottieFiles API access tokens immediately if exposure is suspected or confirmed. Engage with the plugin vendor or monitor official channels for security updates and apply patches promptly once available. Additionally, implement web application firewalls (WAFs) with custom rules to block suspicious API calls targeting this endpoint. Educate site administrators about the risks of sharing API credentials across multiple users and enforce the principle of least privilege for plugin configurations.