The Popup Maker plugin for WordPress has a vulnerability in versions up to, and including, 1.17.1 that allows attackers with Contributor-level access or higher to enable and disable popups without the proper authorization to do so. This vulnerability is caused by a missing capability check on the save_popup_enabled_state function.