Description The plugin does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
Create a new Gallery (with at least one image) and put the below payload in the Gallery Settings > Advanced > Custom Attributes settings 123=“” onpointerenter=“alert(/XSS/)” The XSS will be triggered in page/post where the gallery is embed and the mouse is moved over the image from the gallery