- Use Special:CreateTemplate to create a template
- Add "<script>alert(1);</script>" to the Field name.
- Go to Special:CreateForm, and add the template to the form
- Script is executed
It looks like Special:CreateTemplate can be called by anyone.
The Special:CreateForm post to add the template doesn't check the csrf token, so it can be submitted for a user via csrf.