if the paypal search only accept POSTs then you're absolutely right. It won't be as easy as sharing a link. If it happens to also accept GET requests, then it would. I didn't test this.
Note that _if_ the form is already CSRF-protected, then attackers won't easily be able to POST from a different domain either, which would drastically reduce the attack surface.
I didn't test this, but I'm not sure the form is fully CSRF protected though. I tried to explain the potential exploit from this discovered vulnerability. Perhaps I should have stated more clearly that this is more a general comment, and not specific to this particular case.
Note that _if_ the form is already CSRF-protected, then attackers won't easily be able to POST from a different domain either, which would drastically reduce the attack surface.
I didn't test this, but I'm not sure the form is fully CSRF protected though. I tried to explain the potential exploit from this discovered vulnerability. Perhaps I should have stated more clearly that this is more a general comment, and not specific to this particular case.