I tested the demo site you provided. I see that there is an Stored XSS vulnerability. I hope you can check and provide a fix as soon as possible.
Link video Poc
https://drive.google.com/file/d/1BaAnaZQyf__bUTu54rzwRtTevr-wx100/view?usp=sharing
1 .Login as account demo
2 .Access the module Submissions
3 .Then create a New Submissions
4 .Pass the payload to the Title field in the Import Metadata section
Payload
test"><script>alert(document.cookie)</script>
5 .Then save the submissions and click on activity log & note and the payload will be executed