Stored xss on account creation

I recently started hunting on one program and from very first step of account creation I thought to hunt for xss.

I was filling out the form for account creation on the website:https://www.example.com

I checked that if I can inject special characters in the name field or not and saw that I can inject characters there was no restriction on that.

So, immediately I inserted xss basic payload in first name

Payload used : <script>alert(“Paras”)</script>

and created account.

Then I received an email for the account activation, after activating my account it got redirected to https://www.example.com/account

and my xss got executed.