The BNS Twitter Follow Button plugin contains a DOM‑based cross‑site scripting flaw that permits an attacker to inject malicious JavaScript into a WordPress page. Failure to neutralize user‑generated input during page rendering enables the execution of arbitrary client‑side code when a visitor loads a page that includes the plugin. This can lead to theft of session cookies, credential hijacking, defacement, or malicious actions performed in the victim’s browser, and is identified as CWE‑79.

The vulnerability applies to the Edward Caissie BNS Twitter Follow Button WordPress plugin, affecting all installations of version 0.3.8 and earlier. Any WordPress site that hosts the vulnerable plugin version is at risk, regardless of the core WordPress release.

The CVSS score of 6.5 classifies the flaw as moderate severity, while the EPSS score of less than 1 % indicates a very low probability of exploitation in the near term. The weakness is not listed in the CISA KEV catalog. Exploitability requires a victim to visit a page that loads the malicious script through the plugin, meaning a remote, user‑interaction attack path. Because the flaw is client‑side, it does not compromise server infrastructure, but it can compromise individual users’ browsers and lead to credential theft or other client‑side damage.