The Popup Maker plugin for WordPress is vulnerable to a type of attack called Cross-Site Request Forgery. This means that, in versions of the plugin up to and including version 1.18.0, the plugin does not have the necessary protection in place to prevent attackers from making requests to the plugin that could potentially harm the website. In this case, an attacker could send a request to the plugin to flush the popup cache, if they manage to trick a website administrator into clicking on a malicious link.