The plugin does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins
Create a New popup
Insert pop-up name, title, and body text.
Add a new trigger with default settings, choose "Click Open" and under "On Popup Close" then click add.
Click add new cookie and in the cookie name add the payload as cookie name: <script>alert("XSS")</script>
The XSS will be triggered when editing a trigger