Description
The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-09-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to arbitrary PHP execution
Action: Patch Immediately
AI Analysis

Impact

The Tiny Bootstrap Elements Light plugin for WordPress contains a Local File Inclusion flaw (CWE-98) that allows an attacker to specify an arbitrary "language" parameter and include any PHP file from the server. This can result in executing arbitrary PHP code, bypassing access controls, accessing sensitive data, or fully compromising the WordPress site. The flaw exists in all versions up to and including 4.3.34 and does not require authentication, making it particularly dangerous.

Affected Systems

Any WordPress installation that has the Tiny Bootstrap Elements Light plugin version 4.3.34 or earlier installed is affected. The vulnerability is triggered by the "language" parameter present in the plugin’s bootstrap-label.php script, which all users can reach via normal site URLs.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity impact, though the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but unauthenticated attackers can exploit it by crafting a request to the vulnerable parameter, potentially achieving code execution if they can upload or otherwise provide PHP content that the server will include. The lack of authentication requirements expands the potential attacker base, warranting immediate attention.

Generated by OpenCVE AI on April 20, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tiny Bootstrap Elements Light plugin to version 4.3.35 or newer to remove the vulnerable inclusion code.
  • If an upgrade is not immediately possible, disable or block access to the bootstrap-label.php file or configure the server to reject include attempts that use the 'language' parameter, thereby preventing LFI exploitation.
  • Review the site’s file upload and permission settings to ensure that PHP files cannot be written or executed by unauthenticated users, and consider implementing a web application firewall to block malicious inclusion attempts.

Generated by OpenCVE AI on April 20, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31682 The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
History

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Migli
Migli tiny Bootstrap Elements Light
Wordpress
Wordpress wordpress
Vendors & Products Migli
Migli tiny Bootstrap Elements Light
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Tiny Bootstrap Elements Light <= 4.3.34 - Unauthenticated Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Migli Tiny Bootstrap Elements Light
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:45.615Z

Reserved: 2025-09-04T14:15:12.637Z

Link: CVE-2025-9991

cve-icon Vulnrichment

Updated: 2025-09-30T15:35:17.792Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:47.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses