## https://sploitus.com/exploit?id=WPEX-ID:55D11ACF-8C47-40DA-BE47-24F74FD7566E
Put the following payload in the System > Miscellaneous > Custom Timezone setting of the plugin: "><details open ontoggle="alert(/XSS/)">
The XSS will be triggered when viewing the settings page
Put the following payload "><details open ontoggle="alert(/XSS/)"> in Texts > Before Voting / After Voting / Answer Buttons / Admin Columns > Feedback settings
The XSS will be triggered when viewing a post/page where with the Helpful Widget is displayed, or after a vote depending on the vulnerable field/s used
Put the following payload in the Feedback > Messages: "><details open ontoggle="alert(/XSS/)">
The plugin fixes from 4.4.56 to 4.4.58 were insufficient as not escaping data when output in attributes, allowing for payloads such as " style=animation-name:rotation onanimationstart=alert(/XSS/)//