Maybe it's just a big honeypot
Or maybe the XSS vulnerabilities were implanted by a rogue state...
The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week. The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself …
See Hanlon's Razor for details...