## https://sploitus.com/exploit?id=WPEX-ID:9C70CFC4-5759-469A-A6A3-510C405BD28A
1) As admin, go to plugin settings (wp-admin/options-general.php?page=admin-options.php)
2) In either "Bar Size" or "Image Counter Separator" add the payload "/><script>alert(1)</script>
3) Save and reload the page to see the popup
---
As user:
Requisite: a post or page with the gallery widget
1) Visit any post that contains the gallery widget
2) The malicious payload above will get reflected inside the page source code.