Reflected XSSReflected XSS is when the attacker sends along a link to a vulnerable page with a script in it and victims run the page as the attacker wants it set up. For example, think of search engine pages. If the attacker puts something in the search text so that search results are compromised, he/she can send you a link to that exact page. When you click on the link to that page YOU get the compromised search results and the attacker has you right where they want you...script running on your browser automatically.
Many times reflected XSS is used to grab your cookies so they can impersonate you, but obviously it can be for other things too.
Persistent XSSThis is where a site has malicious code on it, either on purpose or via user input. The victim may be going to a legitimate page with a malicious post (think discussion forum on legit site), or a malicious page whose intent is to attack you or others using your browser.
On thing malicious XSS sites are doing these days with persistent XSS is to infect your machine with malware. They accomplish this by telling you that you need to download a codec to view a file on their site. You accept the download and get the malware.
Something we can agree on is that we can all avoid going to malicious sites for the most part. We just stick to nice neighborhoods and avoid the skeevy ones. But malicious posts on trusted sites are hard to avoid. Consider StackOverflow.com. You go there to solve a tech problem and you hit a post with 15 replies. You get all 15 replies, like it or not. Those posts may have images that are pulled, etc. Before you go to the page, do you know if the page has a malicious script on it? You open the page and BOOM, everything runs...ain't a thing you can do about it either. (Don't worry, StackOverflow does not have this vulnerability, but do you know if other sites you hit are not vulnerable?)
Using something like the NoScript FireFox plugin is a smart thing. It blocks scripts until you allow them for a page or site. So the one bad post out of 15 will have its malicious script blocked unless you say it is ok to go to http://malicious_site.com and pull their script (in that case shame on you).