Oh wow, I can't believe they left all their CMS resources on open listing...that's quite a find. Their website reports that the "trylocationsmart500x250-w500h250.png" file, which is a screenshot of an older version of the vulnerable website, was uploaded 2016-09-14 22:20. This means that the vulnerable site was probably available since at least September 2016.