Vulnerabilities in Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on tens of thousands of websites. The plugin’s developer fixed the security issues with the release of version 3.64.1, one week after Defiant reported the bugs. The flaws affect all versions up to and including Popup builder 3.63.1. The vulnerability allows for unauthentication stored XSS, configuration disclosure, user data export, and website settings modification.
Source: https://www.bleepingcomputer.com/news/security/wordpress-plugin-bug-allows-malicious-code-injection-on-100k-sites/