CVE-2025-68043
Published: 20 February 2026
Summary
CVE-2025-68043 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68043 is a missing authorization vulnerability, tracked as CWE-862, that stems from incorrectly configured access control security levels. It affects the LottieFiles WordPress plugin from n/a through version 3.0.0.
An unauthenticated remote attacker can exploit the flaw over the network without any credentials or user interaction. Successful exploitation allows limited impacts to confidentiality, integrity, and availability, consistent with the CVSS 7.3 rating.
The Patchstack advisory at the referenced URL documents the broken access control issue in the LottieFiles plugin and provides details for affected WordPress installations. The EPSS score remains low with only a modest peak, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208073
Vulnerability details
Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (broken access control) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of the web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires enforcement of approved authorizations for access to resources, addressing the core missing authorization flaw in the LottieFiles WordPress plugin.
Mandates timely identification, reporting, and correction of system flaws such as this broken access control vulnerability via patching the plugin.
Enforces least privilege principle to restrict access to only necessary functions, mitigating the impact of the plugin's missing authorization checks.