The plugin does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled. An incomplete fix was introduced in version 2.3.46
Create new Slide where the tile is the XSS payload: ';alert(title);//'
The script then will be executed everywhere when the code is embedded.