That is not what I am disputing. If there is a bug in paypal's search via POST only, you cannot link to paypal's search. You would need to link to a page you control that performs the POST automatically. If you send a link to the search that only takes parameters via POST, paypal will never receive the payload.
if the paypal search only accept POSTs then you're absolutely right. It won't be as easy as sharing a link. If it happens to also accept GET requests, then it would. I didn't test this.
Note that _if_ the form is already CSRF-protected, then attackers won't easily be able to POST from a different domain either, which would drastically reduce the attack surface.
I didn't test this, but I'm not sure the form is fully CSRF protected though. I tried to explain the potential exploit from this discovered vulnerability. Perhaps I should have stated more clearly that this is more a general comment, and not specific to this particular case.
