BK-MultiThumb, 3.7.1 and below, XSS (Cross Site Scripting)
Extension contains known vulnerable version of JS library prettyPhoto.
The vulnerability in JS file was patched by extension author on basis of 3.1.5 file.
Update notice: http://joomla.rjews.net/bk-multithumb
please contact the developer for more information.