The plugin in question is Popup Builder Responsive WordPress Pop up Subscription & Newsletter, from developer Sygnoos. The plugin has been installed on 200,000 WordPress websites. The vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers. The issue stems from a lack of authorization for AJAX methods in the plugin. A fix has been issued in version 3.72; and the latest version is 3.73.
Source: https://threatpost.com/wordpress-pop-up-builder-plugin-flaw-plagues-200k-sites/163500/

