## https://sploitus.com/exploit?id=WPEX-ID:4869FDC7-4FC7-4917-BC00-B6CED9CCC871
The shortcode need to be active (can be done via the Shortcode tab settings of the plugin), and a bitly API key set (can be a dummy one such as 'aaa') via the Advanced settings of the plugin
[Campaign-URL-Builder wrapper='" onmouseover="alert(/XSS/)"']
Other attributes were also affected (such as wrapper-inline-style, form-inline-style, input-class, form and custom_parameters)