Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
1. Add the "NextGEN Media RSS" Widget to the blog (Appearance > Widgets)
2. Change the "Tooltip text for Media RSS link" to `feed" asdasd='' onmouseover='alert(1)'`
3. Save the settings and view the site
4. Move your mouse over the icon/text to see the XSS