In the plugin, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.
Create or edit a gallery and add the following payload in the Custom CSS field: </style><svg/onload=alert(document.domain)>
Then, view the embed gallery (which must have at least one image) in a page or post to trigger the XSS