CVE-2025-15486 describes a stored cross-site scripting vulnerability in the Kunze Law WordPress plugin (versions up to 2.1). The plugin fetches HTML content remotely and injects it into pages without proper sanitization, enabling authenticated users with administrator privileges to inject malicious scripts. This vulnerability specifically impacts multi-site WordPress installations or those where unfiltered_html is disabled. Furthermore, a path traversal vulnerability in the shortcode name allows attackers to write malicious HTML files to arbitrary writable server locations. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and low confidentiality and integrity impact with no availability impact.

An authenticated attacker with administrator-level access can exploit this vulnerability to inject and store malicious scripts that execute in the context of users visiting the affected pages, potentially leading to session hijacking or other script-based attacks. The path traversal issue further allows writing malicious files to arbitrary locations on the server, which could facilitate additional attacks or persistence. The impact is limited to multi-site or unfiltered_html-disabled installations and requires high privileges, reducing the likelihood of exploitation by lower-privileged users.

No official patch or fix is currently available for this vulnerability. Administrators should review plugin usage in multi-site environments and consider restricting administrator access to trusted users only. Monitoring for unusual shortcode usage or unexpected file writes may help detect exploitation attempts. Check the vendor advisory regularly for updates or official patches. Since this is not a cloud service, remediation depends on applying vendor fixes once available or implementing manual mitigations.