According to Forbes, A new XSS (cross site scripting) vulnerability was identified on Paypal.com. It was discovered by a researcher and was disclosed on both Security-Shell and XSSed. That bug would allow a malicious hacker to insert code on the site that could potentially be used to access a user’s account.
The problem, technically, is found in the parameter sender_country in a transaction called nvpsm. NVP is Paypal’s API for Merchants to use when interacting with the Paypal web site, it stands for Name-Value Pair. SM is short for ’send money’. A problem such as this can be used to capture a user’s session (essentially log in as that user) and perform privileged actions (money transfers) as that user, as well as send a user a valid Paypal URL but then redirect them to a malicious third party site (phishing, malware, etc.).
As if PayPal doesn't have enough problems.