- As a privileged user (one with the awardmanage user right) go to Special:SystemGiftManager and create a gift that has a title like "><script>alert('XSS')</script>
- Hit the button on the page to have the award created
- Note that the XSS gets executed right away (if at least one user matches the threshold you chose)...
- ..and as a bonus, it gets spread everywhere, or at least to the profile pages of users who got the award (though not directly - it isn't executed on User:/User_profile: page views, but upon clicking on the View all link in the user profile of a user who has more than 4 awards; e.g. not on User:Foo but definitely on Special:ViewSystemGifts? user=Foo)
Tangentially related bonus: the use of $this->msg( 'some message key' )->plain() in SocialProfile in general is more than likely 100% incorrect. (I accept the full responsibility for that, my fault.)
Though they are quite similar code-wise, UserGifts' Special:GiftManager and thus the user-to-user gifting functionality does not seem to be affected. Likewise, the Special:ViewGifts and Special:ViewGift special pages are fine and do not execute the XSS.