## https://sploitus.com/exploit?id=WPEX-ID:A4AD73B2-6A70-48FF-BF4C-28F81B193748
Setup: The CTA Expansion (wp-admin/admin.php?page=vkExUnit_setting_page) must be enabled, and at least one CTA (/wp-admin/edit.php?post_type=cta) must be published.
As a contributor, add a CTA block in a post, select a published CTA and put the following payload in the "Additional CSS class(es)" setting of the block: " onmouseover="alert(/XSS/)" style="background:red;"
The XSS will be triggered when previewing/viewing the post and moving the mouse over the red block.
Note: If random is selected and there is no CTA published, the post won't be able to be saved, and will rather crash