User opens up their dashboard, which displays a post that contains the XSS.
That script then makes a post using the users account to their own blog, further spreading the rogue script.