CVE-2025-9991 HIGH

CVE-2025-9991: Tiny Bootstrap Elements Light <= 4.3.34 - Unauthenticated Local File Inclusion

Vendor Migli

Product Tiny Bootstrap Elements Light

Weakness CWE-98 · PHP file inclusion

Published September 30, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Key dates

02Disclosure timeline

September 30, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-9991

Related vulnerabilities

04Related CVE

CVE-2026-28062 WordPress Happy Baby theme <= 1.2.12 - Local File Inclusion vulnerability CVE-2025-69076 WordPress Modern Housewife theme <= 1.0.12 - Local File Inclusion vulnerability CVE-2025-32309 WordPress Healsoul theme <= 2.2.3 - Local File Inclusion Vulnerability CVE-2023-2249 wpForo Forum <= 2.1.7 - Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents CVE-2025-39570 WordPress WPCOM Member plugin <= 1.7.7 - Local File Inclusion Vulnerability