Effect:
A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.
What you have shown is "just" a reflected XSS, not a persistent one.
You would need to send the URL with the injected code as a parameter to a person. That person would need to click on that link and have JS enabled for the script to be executed.
You can't inject a script into the server this way. And you definitely can't steal data from the server with this method.
It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.
This still depends on whether and how the same-origin-policy is implemented.