$_GET['order'] is not escaped.
This value can be also used for SQL injection:
In Pro version, if you have more than 10 galleries,
$_GET['Gallerypage'] is not escaped.
Proof of Concept:
XSS are visible for administrator.
If you have PRO version and more than 10 galleries:
- 02-12-2015: Discovered
- 02-12-2015: Vendor notified
- 23-04-2015: Version 1.6.1 released, issue resolved