## https://sploitus.com/exploit?id=WPEX-ID:D00F05CB-BDDB-4B79-B2BC-73129FFD786B
Setup (as admin): Create a new form (using MetForm Elementor widgets) and insert a text-area field and a submit button then publish the form.
Attack (as unauthenticated): Visit the created form and insert the following JavaScript code in the text-area and submit: <script>alert(/XSS/)</script>
The XSS will be triggered when an admin view the created entry in the admin dashboard (MetForm > Entries > View)