Description
I noticed, your website is very secure.
But you overlooked a flaw File Upload.
Proof of Concept
Detail:
1 .Login vs admin demo account and access admin page.
2 .Create a category titled “test” and upload a file image.
3 .Using burp suite edit Content-type: image/html and insert payload at the end of the content:
<script>window.location.href = 'https://www.youtube.com'</script>
4 .Go back to the home page, save image as “.html”
5 .Open the image file, detect navigate to the YouTube website
Video Poc
https://drive.google.com/file/d/1o05oFZXNDVLnpF9e86R9DAKXfYILHKR8/view?usp=sharing