Setup (as admin): Create a new form (using MetForm Elementor widgets) and insert a text-area field and a submit button then publish the form.

Attack (as unauthenticated): Visit the created form and insert the following JavaScript code in the text-area and submit: <script>alert(/XSS/)</script> 

The XSS will be triggered when an admin view the created entry in the admin dashboard (MetForm > Entries > View)