CVE-2025-9991 is a high-severity vulnerability affecting the Tiny Bootstrap Elements Light plugin for WordPress, specifically all versions up to and including 4.3.34. The vulnerability is classified as CWE-98, which involves improper control of filenames used in include or require statements in PHP programs. This manifests as a Local File Inclusion (LFI) vulnerability via the 'language' parameter in the plugin. An unauthenticated attacker can exploit this flaw by manipulating the 'language' parameter to include arbitrary .php files from the server. This can lead to the execution of arbitrary PHP code, which may allow attackers to bypass access controls, access sensitive data, or achieve full remote code execution if they can upload malicious .php files to the server. The vulnerability does not require any authentication or user interaction, but the complexity of exploitation is rated as high due to the need to have or upload malicious PHP files on the server. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector and no privileges required. Although no public exploits are currently known in the wild, the potential for severe damage is significant given the widespread use of WordPress and the plugin in question. The lack of available patches at the time of publication increases the risk for affected installations.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress sites with the Tiny Bootstrap Elements Light plugin installed. Successful exploitation can lead to unauthorized access to sensitive corporate or customer data, defacement of websites, or full server compromise. This can result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Organizations in sectors such as finance, healthcare, e-commerce, and government are particularly vulnerable due to the sensitive nature of their data and the criticality of their online presence. The ability to execute arbitrary PHP code remotely without authentication significantly raises the threat level, potentially enabling attackers to establish persistent backdoors or pivot within internal networks. Given the high prevalence of WordPress in Europe and the plugin’s usage, the threat could affect a broad range of organizations, from SMEs to large enterprises.

Immediate mitigation should include disabling or uninstalling the Tiny Bootstrap Elements Light plugin until a secure patch is released. Organizations should monitor official vendor channels and WordPress plugin repositories for updates addressing CVE-2025-9991. In the interim, applying Web Application Firewall (WAF) rules to block suspicious requests targeting the 'language' parameter can reduce exposure. Restricting file upload capabilities and enforcing strict file type validation on web servers can prevent attackers from uploading malicious PHP files that could be included via this vulnerability. Additionally, implementing least privilege principles for web server file permissions can limit the impact of potential exploitation. Regularly auditing WordPress plugins for vulnerabilities and maintaining an up-to-date inventory of installed components will help in early detection and response. Network segmentation and monitoring for unusual PHP execution patterns can aid in identifying exploitation attempts. Finally, organizations should prepare incident response plans specific to web application compromises.