CVE-2024-10116: 
WordPress vulnerability analysis and mitigation

The Twitter Follow Button plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10116) affecting all versions up to and including 0.2. The vulnerability was discovered and disclosed on November 22, 2024. The plugin fails to properly sanitize and escape the 'username' parameter, making WordPress installations using this plugin potentially vulnerable (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium). The attack vector requires an authenticated user with Contributor-level access or higher. The vulnerability stems from insufficient input sanitization and output escaping of the 'username' parameter, allowing for the injection of malicious web scripts (Wordfence).

When successfully exploited, the vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (NVD).

Users are advised to update their Twitter Follow Button plugin to a version newer than 0.2 if available, or consider removing the plugin until a patch is released. Website administrators should also review and potentially restrict Contributor-level access to trusted users only (NVD).