Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
1) Create a new popup via /wp-admin/admin.php?page=ays-pb&action=add
2) Set its "Custom content" and "Popup description" fields to the following: <script>alert(1);</script>
3) Save, and notice the alert box appearing when re-editing the popup, and visiting the website.