Setup (as admin):
- Create a view (/wp-admin/edit.php?post_type=wpm-testimonial&page=testimonial-views)
-  In the "Custom Fields" section, click on the "Full Name" and set "Display Type" to "link(must be URL type)"
- Save the view, and put its shortcode (eg [testimonial_view id="1"]) in a post/page

As Contributor:
- add a testimonial, set the Full Name to 123"onmouseover='alert(/XSS/)'
- Submit the testimonial for review (or publish it if using an Author+ role)

Once the testimonial is approved/published, the XSS will be triggered in the post where the view is embed and a user move the mouse over the generated testimonial link.

The attack could also be done via an Author role, to not have to wait for an admin to approve the testimonial.