How could this be exploited?
a person can make a group posing to be a random game listing. Interested party clicks the non-shady looking link, person who clicks the link turns out to be an admin, the admin scrolls through the page and doesn't notice anything off because the attacker cleverly hides the CSS of the group pages with display : hidden. Attacker than changes the group page title in just a way that a quick scroll through has hidden the obvious js in title name which would show in pages <h1> html tag, which may be missed. While scrolling the admin's mouse cursor passes the title input field and due to the XSS the admin unknowingly runs the attackers XSS as they used onmouseover input attribute to silently run the javascript
By