## https://sploitus.com/exploit?id=WPEX-ID:1A5C5DF1-57EE-4190-A336-B0266962078F
Default setup:
As a contributor, edit your profile and put the following payload as First Name: " autofocus onfocus=alert`XSS`//, then select the display name with the payload in it and save.
Create/edit a post, add an Avatar block, enable "Link to user profile" and "Open in new tab" in the block settings. Or add the following code in a post while in Code Editor mode: <!-- wp:avatar {"isLink":true,"linkTarget":"_blank"} /-->
The XSS will be triggered when any user will (pre)view the post
---------
Worse setup ("Link to user profile" and "Open in new tab" enabled in the Avatar block settings in the comment template, which can be done by opening /wp-admin/site-editor.php?postType=wp_template&postId=twentytwentyfour%2F%2Fsingle, select one of the Avatar block in the comment and enable the settings)
Simply add a comment as unauthenticated with the following payload in the Name: " autofocus onfocus=alert`XSS`//, and put a dummy Website URL(required for the attack to work)