- Create a poll via Special:CreatePoll, or edit an existing one via Special:UpdatePoll
- Have an answer option contain something like <script>alert('XSS')</script>
- Save changes
- When viewing the poll's page in the NS_POLL namespace, the malicious code gets executed despite that it damn well shouldn't
The last step is also true for polls embedded on other wiki pages via the pollembed parser tag.