Envira Gallery Lite < 18.104.22.168 - Authenticated Stored Cross-Site Scripting
The plugin does not properly sanitise the images metadata (namely title) before outputting them in the generated gallery. This allows privileged accounts such as editor+ to perform XSS attacks (even without the unfiltered_html capability) against users visiting the gallery in the frontend.
Proof of Concept
As an editor+, add an image to a gallery and set its title (via the metadata) to <img src onerror=alert(/XSS/)>. Then view a page where the gallery is embed.