The plugin does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard
As a contributor, create/edit a gallery and add the following payload in the Description field: "><img src onerror=alert(/XSS/)>
The XSS will be triggered when the gallery is edited (for example, by an admin checking it)