The plugin does not sanitise and escape some of its slider settings, such as mpsp_posts_bg_color, mpsp_posts_description_color, mpsp_slide_nav_button_color which could allow users with the edit_post capability (contributor and above) to perform Cross-Site Scripting attacks