The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting.
sygnoos popup builder