The title was copied from the post, I did not see this before posting. Inspecting it further, he says: "I found out that 13 more countries are affected with this xss attack."
The country-codes are obviously just handled as another parameter while the vulnerable code is the same on all of them. I am sorry if I helped to cause more confusion, but again - I just copy/pasted.
I don't know why people have trouble getting a response from PayPal.. I submitted an XSS and a CRLF injection issue over the holiday weekend and got a response this morning.
