The plugin does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a video from a slider and put the following payload in the Description: <img src=x onerror=alert(/XSS/)>, then save/update the video (via the button below the Description textarea) and save/update the Slider (top right button)
The XSS will be triggered in post/page where the Slider is embed