CVE-2025-9991: 
WordPress vulnerability analysis and mitigation

The Tiny Bootstrap Elements Light plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-9991) affecting all versions up to and including 4.3.34. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on September 30, 2025 (NVD, Tenable).

The vulnerability exists in the 'language' parameter of the plugin, which fails to properly validate input, allowing for arbitrary file inclusion. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD).

The vulnerability allows unauthenticated attackers to include and execute arbitrary .php files on the server, potentially leading to the execution of malicious PHP code. This can result in unauthorized access to sensitive data, bypass of access controls, and potential remote code execution if PHP files can be uploaded and included on the target system (NVD).

Website administrators running the Tiny Bootstrap Elements Light plugin should immediately update to a version newer than 4.3.34 once available. Until a patch is released, it is recommended to consider removing or disabling the plugin if it is not critical to website operations (NVD).