The plugin does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Create/edit a gallery with at least one image, put the following payload in the "Alt & Title Text" field: State of Mind"autofocus onfocus=alert(/XSS/)//
Save the changes (via the button next to the Apply button). The XSS will be triggered when editing the Gallery again