CVE-2025-15486

Name of the Vulnerable Software and Affected Versions Kunze Law plugin for WordPress versions prior to 2.1

Description The Kunze Law plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s shortcode. The issue arises because the plugin retrieves HTML content from a remote server and inserts it into pages without proper sanitization or escaping. This allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. This impacts multi-site installations and installations where unfiltered html has been disabled. A path traversal issue within the shortcode name also enables writing malicious HTML files to arbitrary writable locations on the server.

Recommendations Update to a version of the Kunze Law plugin later than 2.1.