The plugin does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
Create/edit a gallery and put the following payload in the "Back Button Text" setting, then publish it: "><script>alert(/XSS/)</script>
The XSS will be triggered when accessing the gallery setting again, as well as in page/s where the Gallery is embed