The Kunze Law WordPress plugin, widely used for legal service websites, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-15486. This vulnerability exists in all versions up to and including 2.1. The root cause is the plugin's behavior of fetching HTML content from a remote server and injecting it directly into WordPress pages without any sanitization or escaping, violating secure coding practices (CWE-79). This allows an authenticated attacker with Administrator-level privileges on multi-site WordPress installations, where the unfiltered_html capability is disabled, to inject arbitrary JavaScript code that executes in the context of any user visiting the compromised page. The vulnerability scope is limited to multi-site setups and specific configuration states, reducing its attack surface. Furthermore, a path traversal vulnerability in the shortcode name parameter enables attackers to write malicious HTML files to arbitrary writable locations on the server, potentially facilitating further attacks such as phishing or malware hosting. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) reflects that exploitation requires high privileges and network access but no user interaction, with partial impact on confidentiality and integrity, and no impact on availability. No patches or exploits are currently publicly available, but the vulnerability poses a risk of persistent XSS attacks and unauthorized file writes on affected systems.

This vulnerability can lead to persistent Cross-Site Scripting attacks, allowing attackers to execute arbitrary scripts in the browsers of users visiting the compromised pages. This can result in session hijacking, credential theft, defacement, or distribution of malware. The path traversal flaw further escalates the risk by enabling attackers to write malicious HTML files anywhere writable on the server, potentially facilitating phishing campaigns or persistent backdoors. Since exploitation requires administrator privileges, the immediate risk is limited to environments where such access is already compromised or granted to untrusted users. However, in multi-site WordPress installations, the impact is amplified as multiple sites can be affected simultaneously. Organizations relying on Kunze Law for legal or compliance-related websites risk reputational damage, data leakage, and regulatory non-compliance if exploited. The vulnerability does not affect availability directly but compromises confidentiality and integrity of site content and user data.

Administrators should immediately audit their WordPress environments to identify Kunze Law plugin installations, especially multi-site setups. Since no official patches are currently available, temporary mitigations include restricting administrator access to trusted personnel only and enabling the unfiltered_html capability if feasible to reduce attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode inputs and remote HTML content fetching can help mitigate exploitation attempts. Monitoring server file systems for unauthorized HTML file creation can detect exploitation of the path traversal vulnerability. Additionally, consider disabling or removing the Kunze Law plugin until a secure patched version is released. Regularly update WordPress core and plugins, and apply principle of least privilege to user roles to minimize risk. Security teams should also educate administrators about the risks of injecting remote content without sanitization and enforce secure coding practices in custom plugins.