The plugin autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog
1) Create a popup (as admin) and access the popup page (as unauthenticated)
2) Send data on the form and intercept the request
3) In the request add a payload called theme_id with any amount of data you want and send it
4) At each pageview the data that was sent will be loaded
Complete POC: https://youtu.be/Do0mLUY9t9I