The plugin autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog
PoC
- Create a popup (as admin) and access the popup page (as unauthenticated) 2) Send data on the form and intercept the request 3) In the request add a payload called theme_id with any amount of data you want and send it 4) At each pageview the data that was sent will be loaded Complete POC: https://youtu.be/Do0mLUY9t9I