One of the vulnerabilities Gall discovered in the Popup Builder plugin allows an unauthenticated attacker to inject malicious JavaScript code into any published popup and the code would then be ...