As a user with the Contributor or above, create a new Popup (in Popup Maker menu) with "content" field containing [popup_close tag="script"]alert(/XSS/)[/popup_close].

The XSS will be triggered when previewing the Popup, as well as in Frontend pages (once the popup is published)

Alternatively, the shortcode can also be put directly in any post/page and the XSS will be triggered when the post/page will be previewed/viewed