The plugin does not have authorisation and CSRF when updating its gallery settings via the update() function hooked to admin_menu, allowing any authenticated users, such as subscriber to update them and set Cross-Site Scripting payloads in them due to the lack of sanitisation and escaping