Description The plugin does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
1. Create a new PopUp Box within the plugin. 2. In the “Custom Content” and Popup Description fields, enter the following payload when in text mode: 3. The XSS will be triggered when editing the Popup up again, or when accessing the frontend (such as the homepage)