The plugin does not sanitise and escape the Slide “Title”, “Description”, and Gallery “Title” fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Create/edit a Slide (/wp-admin/admin.php?page=slideshow-slides) and put the following payload in the Title or Description fields: <script>alert(/XSS/)</script>
Create/edit a Gallery (/wp-admin/admin.php?page=slideshow-galleries) and put the following payload in the Title field: <script>alert(/XSS/)</script>
The XSS will be triggered in both backend (Title field, in the Slide/Gallery list pages) and frontend (in pages/posts where the Slide/Gallery is embed)