The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled.
Unauthenticated attackers can exploit a vulnerability in the LottieFiles WordPress plugin to expose sensitive information, including the site owner's LottieFiles.com account credentials (API token and email address). This allows for potential compromise of the site owner's LottieFiles account and the ability to inject malicious Lottie animations, leading to website defacement or further compromise. The vulnerability exists due to improper access control on a REST API endpoint.
Step 1: Reconnaissance: An attacker identifies a WordPress site using the LottieFiles plugin and checks for the vulnerable version (<= 3.0.0).
Step 2: Endpoint Discovery: The attacker identifies the existence of the vulnerable REST API endpoint: /wp-json/lottiefiles/v1/settings/.
Step 3: Request Construction: The attacker crafts an unauthenticated HTTP GET request to the identified endpoint.
Step 4: Data Retrieval: The server, due to the lack of access controls, responds with the site owner's LottieFiles account credentials (API token and email address) if the sharing option is enabled.
Step 5: Account Compromise: The attacker uses the retrieved API token to access and potentially manipulate the site owner's LottieFiles account, leading to further attacks such as injecting malicious Lottie animations or defacing the website.
The root cause lies in the lack of proper authentication and authorization checks for the /wp-json/lottiefiles/v1/settings/ REST API endpoint within the LottieFiles plugin. The plugin retrieves and exposes the site owner's LottieFiles account credentials, including the API access token and email address, when the 'Share LottieFiles account with other WordPress users' option is enabled. The flaw is a simple information disclosure vulnerability. The developers failed to implement adequate access control mechanisms, allowing unauthenticated users to access sensitive data intended only for the site administrator. This is a classic example of insecure direct object reference where the API endpoint directly exposes sensitive data without proper authorization.