Security Alert Summary
The Kunze Law plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability via its shortcode that allows authenticated administrators to inject arbitrary scripts by having the plugin fetch and insert remote HTML without sanitization. The issue affects multi-site installations and sites where unfiltered_html is disabled. A related path traversal issue in the shortcode name can allow writing HTML files to writable locations on the server.
CVE Details
- CVE ID: CVE-2025-15486
- Affected component: Kunze Law plugin for WordPress
- Affected versions: All versions up to, and including, 2.1
- Published: January 14, 2026 at 6:15:54 AM
- Last modified: January 14, 2026 at 4:25:12 PM
- CVSS v3.1 Base Score: 4.4 (MEDIUM)
- CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges / User Interaction: Requires authenticated attacker with high privileges (administrator-level); user interaction not required.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
The plugin’s shortcode fetches HTML content from a remote server and injects that content into pages without sanitization or escaping, resulting in stored cross-site scripting (XSS). Because the injected content is stored and served to visitors of the affected page, any arbitrary script included in the fetched HTML will execute in the context of users who view that page.
The description specifies this occurs in shortcode handling and that the vulnerability affects multi-site installs and installs where unfiltered_html has been disabled. Additionally, a path traversal weakness in the shortcode name can be used to write malicious HTML files to arbitrary writable locations on the server, potentially making malicious payloads persistent on disk.
Impact is limited by the requirement that the attacker have administrator-level privileges to perform the injection. The vulnerability enables script execution in other users’ browsers (confidentiality and integrity impact are assessed as low), but does not indicate direct impact to service availability.
How This Could Impact Your Website
Consider a site with an owner (site administrator), internal staff (editors or authors), and external contributors. An administrator or another account with administrator-level access could use the vulnerable shortcode to store malicious HTML that runs whenever editors, staff, or site visitors view the affected page. Executed scripts could expose limited confidential information visible to those users (for example, user interface data or email addresses shown on pages) or alter page content in ways that enable targeted social engineering or phishing against staff or customers.
Because availability impact is not indicated, this issue is not described as causing service outages, but it can enable client-side attacks against users and site editors. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially administrator accounts and contributors with elevated permissions.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and audit logs for unusual behavior related to shortcode use or file writes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
