XSS vulnerability through store locator results page.
The search query is sent as a GET parameter and is not escaped within the form input, this allows code to be rendered directly from a malicious URL.
<input class="form-control" placeholder="e.g. Liverpool, L3 8JA" type="text" name="location" id="location" value="" onclick=alert(document.cookie)" id="">
Reported Fixed
Back