So what exactly you have to do is to hack the below XML construct in order to trigger it.
The interesting part is to understand the entry point in this as discussed.
Consider this, /adm/index.php?m=login , so usually "m" parameter in this URI is considered as an entry point which is true in certain sense. However, for this XSS, the entry point is present in /adm/index.php/ [Injection Point] ?m=login.
So, the point is, XSS finds its own entry points. :)
Browser Security Talk:
On additional note, the above presented screenshot shows that payload is sent in URL and Google Chrome parses it and then the payload becomes persistent. Seems like a bypass, yes it is. It depends whether Google Chrome team considers it or not. IE and NoScript triggers an alert.