In menu Add page, there is a upload file function and xss payload can be injected there.
Detail:
1/ Access to the web demo and go to Add page menu.
2/ At upload file function, upload an file with filename is a payload xss.
3/ It will be triggered immediately.
Payload: "><img src>
Link video PoC: https://drive.google.com/file/d/1bgbbkTGhkKEYSVuQIyw58eKYjrW6pVc_/view?usp=sharing