The plugin does not sanitise and escape the Albumβs name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed
https://youtu.be/kTMg65teTvU
Create an Album with the following payload as Name: test"><img src onerror=alert(/XSS/)>
Add a media via the "Add/Import files" menu and select the album created above
The XSS will be triggered when viewing the media post