what worse can happen with a xss vulnerable website

What worse can happen with a XSS vulnerable website, I found a website vulnerable to XSS, i mailed them but they didn’t took action even after a 3/4 weeks, so i am just curious what worse can happen with it?