Setup: The CTA Expansion (wp-admin/admin.php?page=vkExUnit_setting_page) must be enabled, and at least one CTA (/wp-admin/edit.php?post_type=cta) must be published.

As a contributor, add a CTA block in a post, select a published CTA and put the following payload in the "Additional CSS class(es)" setting of the block: " onmouseover="alert(/XSS/)" style="background:red;"

The XSS will be triggered when previewing/viewing the post and moving the mouse over the red block.

Note: If random is selected and there is no CTA published, the post won't be able to be saved, and will rather crash