Due to this problem, we froze at PHP version 5.2.1 until today. McAfee SECURE now sees the old version as so vulnerable that it revokes the Hacker Safe seal.

We've tried installing PHP version 5.3.3, and phpPaypalPro seems to work fine!

So far, we just had one adjustment to avoid a new warning, and that was to type cast $amount as float in the input to number_format() in paypal_types.php, function BasicAmountType (line 45) (since it can sometimes be a string):

$BasicAmountType['_'] = number_format((float) $amount, 2);