The researcher found an XSS vulnerability caused by query parameters not being properly sanitized before being displayed on the page.