During an analysis of the Popup Builder plugin, WP Scan discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.
When successfully exploited, this vulnerability may let attackers perform any action the logged-in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users.
Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.2.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.
Fix announcement and more details: https://a8cteam5105.wordpress.com/blog/stored-xss-fixed-in-popup-builder-4-2-3