Cross-site scripting allows criminals to store malicious code on your website. This code can infect your visitors or customers and thus cause severe harm, for example if the malicious code leads to the installation of a ransomware in their company's network. In this case you could be held liable for the damage. IT security companies could list you on their index of dangerous websites and thus prevent access to your website for security reasons. The information that your website contains/contained malicious code can still be found by search engines, even many years after the malicious code was removed. If your website is listed on such a blacklist, you may no longer be able to receive or send emails, because your entire network and the IP would be rated as a security risk to others.