The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
https://www.scmagazine.com/news/wordpress-layerslider-plugin-bug-risks-password-hash-extraction