CVE-2025-9991 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Tiny Bootstrap Elements Light plugin for WordPress in all versions up to and including 4.3.34. The vulnerability stems from improper validation and control of the 'language' parameter, which is used in an include or require PHP statement without sufficient sanitization. This flaw allows an unauthenticated attacker to manipulate the parameter to include arbitrary PHP files from the server filesystem. If an attacker can upload or otherwise place a malicious PHP file on the server, they can execute arbitrary code with the privileges of the web server process. This can lead to full system compromise, data leakage, and bypass of access controls. The CVSS v3.1 score is 8.1, indicating high severity, with attack vector being network-based, no privileges or user interaction required, but with high attack complexity due to the need to have a malicious PHP file present on the server. No patches or official fixes have been linked yet, and no known exploits in the wild have been reported as of the publication date. The vulnerability is critical for websites using this plugin, especially those that allow file uploads or have weak file upload restrictions.

The impact of this vulnerability is significant for organizations running WordPress sites with the Tiny Bootstrap Elements Light plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the server. This can result in full compromise of the web server, including unauthorized access to sensitive data, defacement of websites, installation of backdoors or malware, and lateral movement within the network. The ability to bypass access controls can expose internal resources and data. Given WordPress's widespread use globally, many organizations, including businesses, government agencies, and e-commerce platforms, could be affected. The high CVSS score reflects the critical nature of the threat, especially in environments where file upload functionality exists or where attackers can otherwise place malicious files on the server.

To mitigate this vulnerability, organizations should immediately update the Tiny Bootstrap Elements Light plugin once an official patch is released. Until then, consider disabling or removing the plugin if it is not essential. Implement strict file upload controls to prevent attackers from uploading malicious PHP files, including restricting allowed file types, scanning uploads for malicious content, and storing uploads outside the web root. Employ web application firewalls (WAFs) with rules to detect and block attempts to manipulate the 'language' parameter or include unauthorized files. Additionally, apply the principle of least privilege to the web server process to limit the impact of potential code execution. Regularly audit and monitor web server logs for suspicious activity related to file inclusion attempts. Finally, consider isolating WordPress instances in segmented network zones to reduce lateral movement risk.