1) As admin, go to plugin settings (wp-admin/options-general.php?page=admin-options.php)
2) In either "Bar Size" or "Image Counter Separator" add the payload "/><script>alert(1)</script>
3) Save and reload the page to see the popup


As user:
Requisite: a post or page with the gallery widget
1) Visit any post that contains the gallery widget
2) The malicious payload above will get reflected inside the page source code.