Description I noticed, your website is very secure.
But you overlooked a flaw XSS
Proof of Concept
1 .Login vs admin demo account and access admin page.
2 .Go to Configuration ==> FAQ Multisites
3 . Edit Instance URL with payload:
javascript:alert(document.domain)
4 .Edit Instance path with payload:
%20
5 .Click Save instance ==Detect XSS
Video Poc
https://drive.google.com/file/d/1PoNK_Up7IEgR44NnFp-SI6O1wKWhI-ov/view?usp=sharing