Not really, no. If all it takes to exploit the remote service is to make the request (i.e., you don't need to be able to read the response data to exploit it), you can easily force a request by means other than XHR; an image tag is probably the most straightforward.
Also, strictly speaking, this class of attack is Cross-Site Request Forgery (CSRF), not Cross-Site Scripting (XSS).
The request isn't actually made (at least not your request). The browser sends an OPTIONS request to get the CORS policy and then will block your request if its not allowed.
Edit: My above comment is slightly incorrect. If the request is "simple" it will be made and then you'll be blocked if it doesn't fit the CORS policy. If the request is not deemed "simple" (according to some rules you can look up in the spec) then the OPTIONS flow occurs.