Stored XSS occurs when an attacker injects malicious code into a website, which is then stored on the server. In this case, the malicious code is being stored as the user’s username.
When someone accesses the shared page, the website retrieves the user’s username from the server and displays it as part of the message “shared by”. At this point, the XSS payload is executed.