As admin, create/edit an Ultimate Post widget and put the following payload in the Title, URL or "CSS Classes" fields: " onmouseover="alert(/XSS/)"

The XSS will be triggered when a user move their mouse over
- the title of the widget on page where the widget is output
- the related field when editing the widget

Other payload, for the URL field to trigger in the frontend: ' onmouseover=alert(/XSS-URL/)// and javascript:alert(/XSS/)