(Update: XSS fixed by PayPal just after posting this disclosure, but iFrame still working)
One more thing, I want to mention here that - If we look Bug Bounty White Hat Hackers Lists, you will find 50% of reward hackers who even don't know how to code a website in PHP or ASP , but they are a hacker ! (Note: Rest 50% are much good in knowledge and I respect most of them like My other friend Avram Marius - known for Hunting hundreds of Bugs).
At least I would like to suggest big companies to make a transparent Bug Bounty Panel where hackers can at least see that, before them someone really submit similar bug and companies should at least fix/restrict the venerable pages as soon as possible.
Note : Today we also report about a Cross Site scripting bug in Apple.com and reported the Apple Security Team, Reply was,"We already aware about the issue, Thank you" - Question is still same, then Why you didn't take any quick action ? And Even if I was the second person to inform about that, then why the bug is exploitable till now ?