## https://sploitus.com/exploit?id=WPEX-ID:49328498-D3A0-4D27-8A52-24054B5E42F3
- Login as contributor+
- Create a custom field containing XSS payload (eg. <script>alert(1)</script>)
- Add this shortcode to the post/page: [metadata element="custom_fields"]
- The XSS will be triggered when the post/page is previewed/viewed by any user