A high-severity vulnerability has been identified in the Tiny Bootstrap Elements Light plugin for WordPress, which could allow an unauthenticated attacker to access sensitive files on the web server. Successful exploitation could lead to the disclosure of confidential information, such as database credentials, potentially resulting in a full compromise of the website and its underlying server. Organizations using this plugin are urged to apply the recommended remediation actions immediately to mitigate the risk.

The vulnerability is a Local File Inclusion (LFI). This flaw exists because the plugin does not properly sanitize user-supplied input when including files. An unauthenticated remote attacker can exploit this by crafting a special request that tricks the application into including and displaying the contents of arbitrary files from the local server, such as wp-config.php (containing database credentials) or system files like /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to significant business consequences, including the theft of sensitive data, customer information, or intellectual property stored on the server. The exposure of configuration files could provide an attacker with credentials needed to gain deeper access to the organization's infrastructure, leading to a complete system compromise, reputational damage, and potential regulatory fines for data breaches.

Immediate Action: Immediately update the "Tiny Bootstrap Elements Light" plugin to the latest version available (greater than version 4). If the plugin is not essential for business operations, the recommended course of action is to deactivate and remove it entirely to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious requests containing directory traversal patterns (e.g., ../, ..%2f) or attempts to access sensitive files like wp-config.php, .env, /etc/passwd, or /proc/self/environ. Implement file integrity monitoring to detect unauthorized changes to WordPress core files and plugins.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI attack patterns. Additionally, enforce strict file system permissions to ensure the web server user account cannot read sensitive files outside of its designated directories.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for complete server compromise, it is strongly recommended that organizations identify all WordPress sites using the "Tiny Bootstrap Elements Light" plugin and apply the vendor-supplied patch immediately. Although this vulnerability is not currently on the CISA KEV list and no public exploits are available, the simplicity of exploiting LFI flaws means that threat actors are likely to develop exploits quickly. Prioritize patching this vulnerability to prevent data exposure and system compromise.