I found that in /login.php Referer header's value was reflected in <a href='REFLECTION_HERE'>. Here reflection is inside single quotes, so we can use single quote in the path of previous page to break the attribute's value. For example previous page's url should be https://example.com/'__other_attributes__

Also we won't be able to use chars like <, ", and [SPACE] because they will be url encoded referrer header's value will be reflected. To separate multiple attributes we can use slash, like for path /attr1='val1'/attr2='val2', reflected value will be <a href='http://example.com/'/attr1='val1'/attr2='val2'>.

To make the payload work without user interaction, I checked CSS files included in the page to find if there is any animation defined. In the /slider-revolution/revolution/css/settings.css file, I found that there was an animation named rev-ani-mouse. So the payload should have that animation and onanimationend event handler defined, which will be called when the animation ends.

POC

1. Open https://webhook.site/
2. Click on the edit button at top right corner, and change Content-Type to 'text/html' and change body to

   <body>
   <a
   href="https://df7e3a3a0fe0-yashamin.a.firstbloodhackers.com/login.php"
   referrerpolicy="unsafe-url"
   >
   click me
   </a>
   </body>

   You'll need to provide referrerpolicy attribute to anchor tag, so it will send the entire URL in Referrer header. You can also use meta tags or Referrer-Policy response header to define referrer policy.

3. After saving, you'll see a unique URL, you can provide xss payload in the url.

   For my unique URL https://webhook.site/8de4f172-3d2d-41e8-b1f1-19d27d82a969, URL with the payload will be - 
   https://webhook.site/8de4f172-3d2d-41e8-b1f1-19d27d82a969/'/style='animation-name:rev-ani-mouse'/onanimationend='alert(1)'

4. Open the above URL and click on the link, and you will see alert.
   

Impact

XSS can be used to execute JS code on victim's browser to perform read/write actions on their data.