There are 3 link to social network pages at the bottom of each page.
<a href="index.php?page=redirect&site=facebook" class="icon fa-facebook"></a>
The href inside them has site parameter.
To exploit, change this parameter to some untrusted resource.