CVE-2025-47578

The BNS Twitter Follow Button plugin for WordPress, version 0.3.8 and earlier, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw arises when the plugin processes certain data without adequate sanitization, enabling an attacker to inject arbitrary JavaScript that executes in the context of the user's browser.

Exploitation of this vulnerability requires user interaction, specifically a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially designed form [1]. No prior authentication is needed for the attacker to initiate the attack vector, but the target must trigger the malicious content.

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when other users visit the affected site [1]. This can lead to session hijacking, defacement, or theft of sensitive information.

The vulnerability has been addressed by the vendor, and immediate action is recommended to update the plugin to a patched version [1]. Users unable to update should contact their hosting provider or web developer for mitigation assistance [1].