The plugin does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
The GOTMLS_mt parameter value is retrieved when being logged in as admin and view the source code of /wp-admin/admin.php?page=GOTMLS-settings for example. Then, use the code below to XSS another admin