## https://sploitus.com/exploit?id=WPEX-ID:090A3922-FEBC-4294-82D2-D8339D461893
The following steps work on version 1.1.147, before any partial fixes.
1. Go to the "Calculated Fields Form" page in WP Admin.
2. Under "New Form", add an "Item Name" and choose "From Template".
3. Choose the template "DropDown fields with Images" and click "Use It".
4. Click on the first field (`fieldname1`) and in the Field Settings sidebar on the left, change the `Text` field on one of the choices to `<img src="x" onerror=alert(/XSS/)>`.
5. After saving , either preview the Form, or view a post/page with the form embed to trigger the XSS