The LottieFiles – Lottie block for Gutenberg plugin for WordPress contains a vulnerability that allows unauthenticated users to read sensitive data through the /wp-json/lottiefiles/v1/settings/ REST API endpoint. When the 'Share LottieFiles account with other WordPress users' option is enabled, an attacker can retrieve the site owner's LottieFiles.com account credentials, including the API access token and email address. This flaw is a classic example of a sensitive information exposure (CWE‑200) and gives an attacker access to credentials that could be used to control the owner's LottieFiles account or abuse the API.

Affected systems include the LottieFiles – Lottie block for Gutenberg plugin for WordPress versions up to and including 3.0.0. Any WordPress site that has installed this plugin and has the sharing option enabled is vulnerable. The vulnerability applies to all installations regardless of user role because the REST endpoint does not enforce authentication.

Risk assessment indicates a CVSS score of 5.3, indicating a moderate severity. The EPSS score is reported as less than 1%, implying a very low likelihood of exploit at this time. The vulnerability is not listed in the CISA KEV catalog. Because the REST endpoint is publicly accessible, an attacker only needs to know the site's URL and may try to query the endpoint; no additional conditions or privileges are required. Therefore the potential impact is the exposure of user credentials and API tokens, but the overall exploit probability remains low.