The vulnerability CVE-2025-27331 affects the WooCommerce Display Products by Tags plugin by Sébastien Dumont. It is a DOM-based cross-site scripting (XSS) flaw caused by improper neutralization of input during web page generation. This allows an attacker to inject malicious scripts that execute in the victim's browser. The affected versions include all versions up to 1.0.0. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring low privileges and user interaction, and impacts on confidentiality, integrity, and availability. No patch or vendor advisory is currently provided.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected website, potentially leading to information disclosure, modification of site content, or disruption of availability. The attack requires user interaction and low privileges, and the scope is changed, meaning the attack can affect resources beyond the vulnerable component. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting exposure to this plugin or disabling it if possible. Monitor for updates from the vendor Sébastien Dumont and apply any official patches promptly once available.