This tweet reveals an XSS vulnerability bypass for WAFs. The payload is an iframe tag with an onload event that sets the width to '100px'. The condition for triggering the payload is no user interaction required. This bypass technique poses a risk to WAFs by allowing malicious scripts to execute without user interaction. More details in a blog post.