CVE-2025-9991 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Tiny Bootstrap Elements Light plugin for WordPress in all versions up to 4.3.34. The vulnerability arises from improper control of the filename used in PHP include or require statements, specifically via the 'language' parameter. An unauthenticated attacker can exploit this flaw by manipulating the parameter to include arbitrary PHP files from the server, leading to remote code execution. This can be leveraged to bypass access controls, extract sensitive information, or execute malicious PHP code if the attacker can upload or otherwise place PHP files on the server. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity, with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a critical risk for WordPress sites using this plugin. The lack of a patch link suggests that a fix may not yet be available, increasing urgency for mitigation. The vulnerability is particularly dangerous in environments where file upload functionality is enabled without strict validation, as attackers can upload malicious PHP payloads to be included and executed. The issue highlights the importance of secure coding practices around dynamic file inclusion and parameter validation in PHP applications.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites, which are widely used across Europe for business, government, and e-commerce purposes. Successful exploitation can lead to full compromise of the affected web server, resulting in data breaches, defacement, service disruption, or pivoting to internal networks. Confidential customer and employee data could be exposed, violating GDPR and other data protection regulations, leading to legal and financial penalties. The ability to execute arbitrary PHP code also enables attackers to install backdoors, ransomware, or use the compromised server as a launchpad for further attacks. Organizations with public-facing WordPress sites using the Tiny Bootstrap Elements Light plugin are particularly vulnerable. The high severity and unauthenticated nature of the exploit increase the likelihood of targeted attacks or opportunistic scanning by automated tools. This threat also impacts hosting providers and managed service providers supporting WordPress clients, potentially affecting multiple customers simultaneously.

Immediate mitigation steps include disabling or uninstalling the Tiny Bootstrap Elements Light plugin until a secure patch is released. Organizations should monitor official vendor channels and WordPress plugin repositories for updates addressing this vulnerability. Implement strict file upload controls to prevent unauthorized PHP file uploads, including MIME type validation, file extension whitelisting, and scanning uploaded files for malicious content. Deploy Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities, particularly targeting the 'language' parameter in HTTP requests. Conduct thorough security audits of WordPress installations to identify and remediate other potential vulnerabilities. Employ least privilege principles for web server and PHP execution environments to limit the impact of any successful exploitation. Regularly back up website data and configurations to enable rapid recovery in case of compromise. Educate web administrators on secure plugin management and the risks of outdated or untrusted plugins. Finally, consider implementing runtime application self-protection (RASP) solutions to detect and prevent exploitation attempts in real time.