A user with the editmyprivateinfo
right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.
Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c
<script>alert("Admin with a propensity for self-XSSes")</script>
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.