Cross site scripting can be used in conjunction with iframes to steal cookies. The stolen cookies could be used to hijack sessions. Now, that may or may not be a big issue depending on what sensitive information your site may or may not contain about users.
In general, I would close XSS vulnerabilities... You can do that by using htmlspecialchars() to encode any potentially offending code before writing it to the page like:
<?php echo(htmlspecialchars($_GET["id"])); ?>