Yesterday we released posts for vulnerabilities in 16 plugins, which all shared the same code that allowed anyone access to functions only intended to be accessible to Administrator level users. For two of those plugins though the most serious vulnerability permitted by this did not exist. That vulnerability was the ability to upload arbitrary files, which could allow a hacker to upload .php file and then use that to perform any action they want on the website.
The Royal Gallery plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.3. The details of the underlying issue that causes this can be found in our post for the same vulnerability in the plugin Flip Slideshow, which shares the same vulnerable code.