The vulnerability CVE-2025-27265 in Google Maps for WordPress arises from improper input neutralization during web page generation, resulting in a DOM-based cross-site scripting (XSS) flaw. This allows attackers with low privileges to inject malicious scripts that execute in the victim's browser when a user interacts with crafted content. The affected versions include all releases up to 1.0.3. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and causing limited impact on confidentiality, integrity, and availability. No patch or vendor advisory is currently available, and no known exploits have been observed.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected website, potentially leading to limited disclosure of information, modification of data, or disruption of service. The impact is limited by the requirement for low privileges and user interaction, and the scope is confined to the affected web application context.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting exposure by restricting plugin usage or applying web application firewall (WAF) rules to detect and block suspicious input patterns related to DOM-based XSS. Monitor vendor channels for updates and apply patches promptly once available.