The plugin does not validate the type of files uploaded when creating a popup, allowing a high privileged user (such as an Administrator) to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install.
Create a new popup by filling in anything in the title (Tytul) and link (Link) fields.
Then select a php file as the image, and click "Dodaj popup" to add the popup.
The uploaded file can be accessed as http://example.com/wp-content/uploads/zyrex_popup/payload.php
By activating the popup (click the "Aktywuj" button), the payload will be loaded and executed whenever the popup is to be shown on the site.