CVE-2025-9991 – The Tiny Bootstrap Elements Light WordPress plu... (How to Fix)

📋 TL;DR

The Tiny Bootstrap Elements Light WordPress plugin contains a Local File Inclusion vulnerability that allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and complete system compromise. All WordPress sites using this plugin up to version 4.3.34 are affected.

💻 Affected Systems

Products:

Tiny Bootstrap Elements Light WordPress Plugin

Versions: All versions up to and including 4.3.34

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin active

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data exfiltration, ransomware deployment, or persistent backdoor installation

🟠

Likely Case

Unauthenticated attackers achieve remote code execution to install web shells, steal sensitive data, or pivot to internal systems

🟢

If Mitigated

Limited impact if file uploads are restricted and web server permissions are properly configured

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required; exploit code is publicly available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.35 or later

Vendor Advisory: https://wordpress.org/plugins/tiny-bootstrap-elements-light/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Tiny Bootstrap Elements Light
4. Click 'Update Now' if available
5. If no update available, deactivate and delete the plugin

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Tiny Bootstrap Elements Light plugin

wp plugin deactivate tiny-bootstrap-elements-light

Web Application Firewall rule

all

Block requests containing malicious language parameter patterns

🧯 If You Can't Patch

Immediately deactivate and remove the Tiny Bootstrap Elements Light plugin
Implement strict file upload restrictions and disable PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Tiny Bootstrap Elements Light version

Check Version:

wp plugin get tiny-bootstrap-elements-light --field=version

Verify Fix Applied:

Verify plugin version is 4.3.35 or higher, or plugin is completely removed

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-content/plugins/tiny-bootstrap-elements-light/assets/bootstrap-label.php with unusual language parameters
Multiple failed file inclusion attempts
Unexpected PHP file execution

Network Indicators:

Unusual outbound connections from web server
Traffic patterns suggesting data exfiltration

SIEM Query:

source="web_logs" AND uri="*bootstrap-label.php*" AND (param="language" OR param="lang") AND value!="en"

📊 Metadata

CVE ID: CVE-2025-9991

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.4% exploit probability (60.1th percentile)

Published: September 30, 2025

Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9991, you might also want to check these: