1.      Install and activate the Ninja Forms WordPress
2.      As an admin with the unfiltered_html capability, create a new form.
3.      In the form settings, add a new text field.
4.      In the field label, enter the following code: <img src=x onerror=alert(1)>, or Name<a href=javascript:alert(/XSS-1/) onfocus=alert(/XSS-2/) autofocus>ClickME, maybe</a>
5.      Save the form.

The XSS will be triggered when viewing the form in the frontend, as well as when editing the form in the backend