Paypal is affected by an XSS vulnerability where it fails to validate input on URL shown in above image. PayPal fixed the vulnerability shortly after being notified that its publicly posted. XSS, in general is a vulnerability that allows hackers to inject client side script on webpages. An attacker able to trick a user with a valid Paypal session into clicking a crafted version of the link below (wouldn’t be hard, think a link on an eBay auction listing or a phishing e-mail for example)
Source: https://thehackernews.com/2012/03/cross-site-scripting-xss-vulnerability.html