cbcvebase.
CVE-2025-68043
published 2026-02-20

CVE-2025-68043: Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue…

PriorityP277high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.59%
43.7th percentile
Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
lottiefileslottiefiles<= 3.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/lottiefiles/v1/settings/
  • Unauthenticated GET request to the LottieFiles REST API settings endpoint returns HTTP 200 with JSON body containing 'is_block_logged_in', indicating exploitable missing authorization.
  • Response body keyword 'is_block_logged_in' in JSON confirms the vulnerable settings endpoint is publicly accessible without authentication.
  • Sensitive credential fields 'token', 'apiKey', and 'accessToken' may be leaked in the unauthenticated API response body; extract via regex patterns.
  • No special privileges are required to exploit this vulnerability; any unauthenticated network request to the endpoint is sufficient.
  • ·Vulnerability affects LottieFiles WordPress plugin versions up to and including 3.0.0 only; patched versions beyond 3.0.0 are not affected.
  • ·CVSS score is 7.3 (High) with network attack vector, no privileges required, and no user interaction needed, making this remotely exploitable at scale.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.