The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Go to โSlider ยป Slidersโ and edit one of the Sliders or add a new one. 2. Click the โSlide optionsโ and enter: 1" onmouseenter=โalert(/XSS/)โ ", in the input box named โLink the slide toโ. 3. Click Save ยป refresh the page, and hover the mouse over the input box under โSlide optionsโ to check the XSS popup.