Description I noticed, your website is very secure.
But you overlooked a flaw XSS
Proof of Concept
1 .Login vs admin demo account and access admin page.
2 .Create a category titled “test456”.
3 .Go to Configuration ==> Edit configuration.
4 .Change the “URL of your FAQ” data field with the payload:
javascript:alert(1)"
5 . Back to the homepage, see the site structure has been completely changed. Click “test456” detect XSS.
Video Poc
https://drive.google.com/file/d/1FxFSglKYeqSBp_dvSaDji3syj4Re32PO/view?usp=sharing
Img Poc
https://drive.google.com/file/d/1jfBIhXEpyKive2O3W58uDjmJB63kD6l3/view?usp=sharing