The vulnerability manifests in two key phases: 1) Input handling during profile configuration (Controller save() action) where malicious XML is accepted without sanitization, and 2) Output generation when the stored XML is rendered (Model getter). The controller's saveAction is the primary injection point while the model's getActionsXml enables payload execution. These align with Magento's typical import/export profile management flow and the advisory's focus on profile action XML manipulation.