The regex in question is standard issue for converting escaped query params into their actual values, which is something you'll only see in association with hand-rolled CGI processing (as opposed to using CGI.pm).
The code is ugly and needs serious cleaning up, as you've already noted. Regarding security, I would strictly limit the range of allowable data, and apply all standard tainting practices to this application, as if you were making a system call. By that, I mean you should ignore any extraneous query params, and scrub each POST param to its minimal character set.
I would also use HTTP::Request::Common instead of manually stringing together the POST, and of course check the returned page from PayPal for error or success.
MeowChow
s aamecha.s a..a\u$&owag.print