PHP 7.0 reached end-of-life in December 2018, yet over 531 websites still run this vulnerable version. Security researchers have identified 156 known vulnerabilities affecting PHP 7.0, including 61 critical flaws that could allow attackers to execute arbitrary code on your server. These aren't theoretical threats—they're actively exploited in the wild by cybercriminals targeting outdated installations.
If your website runs PHP 7.0, you're operating with a massive security liability. Critical vulnerabilities like CVE-2015-8617 (format string attacks), CVE-2016-2554 (buffer overflow), and CVE-2016-4071 (remote code execution via SNMP) have been public knowledge for years, yet thousands of sites remain unpatched. This guide will help you identify whether you're at risk and provide a clear roadmap to upgrade your PHP version immediately.
Don't wait for a breach to force action. Upgrading PHP is one of the most important security decisions you can make for your website.
PHP 7.0 was released in December 2015 as a major update that promised significant performance improvements and modern programming features. It was widely adopted by WordPress sites, e-commerce platforms, and web applications worldwide. However, like all software, PHP 7.0 had security flaws that were discovered and patched in subsequent versions. When Zend officially ended support for PHP 7.0 in December 2018, no more security updates were released—meaning any new vulnerabilities discovered after that date would never be fixed.
Think of PHP as the engine that powers your website. Using an outdated, unsupported version is like driving a car with known brakes failures. Sure, it might still run, but the risks are catastrophic. Every day your site runs PHP 7.0, you're exposed to 156 known attack vectors that hackers can exploit. Worse, plugin developers and WordPress security teams have stopped testing compatibility with PHP 7.0, leaving your site increasingly isolated from security updates and modern protections.
156 CVEs found. The most critical are explained below.
The wpDiscuz plugin for WordPress has a serious flaw that lets anyone upload files to your website without permission. An attacker could upload dangerous files, like PHP scripts, that give them control over your entire site.
Impact: An attacker could take complete control of your website, steal customer data, inject malware, or shut down your site entirely.
↗ View on NVDOpenEMR medical records software has a vulnerability where authorized users can write files anywhere on the server. An attacker with even limited access could overwrite critical files and compromise the entire system.
Impact: Patient data could be exposed, corrupted, or deleted. An attacker could take control of your medical records system and potentially access sensitive health information.
↗ View on NVDPHP 7.0 has a flaw in how it handles error messages that allows attackers to inject malicious code. If your website uses PHP 7.0, attackers could execute commands on your server by crafting special error messages.
Impact: An attacker could execute arbitrary code on your server, giving them full control of your website and access to all data.
↗ View on NVDPHP 7.0 has a flaw when processing TAR archive files that could cause the application to crash or behave unpredictably. An attacker could upload a specially crafted TAR file to exploit this weakness.
Impact: Your website could crash and become unavailable. In worst cases, attackers could gain control of your server.
↗ View on NVDIf your website uses PHP's SNMP feature (for network monitoring), PHP 7.0 has a vulnerability that lets attackers execute malicious code. An attacker could craft special SNMP requests to run commands on your server.
Impact: An attacker could execute code on your server, steal data, or take control of your website.
↗ View on NVDPHP 7.0's file handling system has a flaw where specially crafted filenames can be exploited to run malicious code. An attacker could upload a file with a dangerous name to compromise your site.
Impact: An attacker could execute arbitrary code on your server and gain full control of your website.
↗ View on NVDShowing first 10 of 150. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2016-4073 | CRITICAL | 9.8 | 2016-05-20 | Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attacke… |
| CVE-2015-8880 | CRITICAL | 9.8 | 2016-05-22 | Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an error. |
| CVE-2016-4344 | CRITICAL | 9.8 | 2016-05-22 | Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impac… |
| CVE-2016-4345 | CRITICAL | 9.8 | 2016-05-22 | Integer overflow in the php_filter_encode_url function in ext/filter/sanitizing_filters.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have… |
| CVE-2016-4346 | CRITICAL | 9.8 | 2016-05-22 | Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impac… |
| CVE-2016-4537 | CRITICAL | 9.8 | 2016-05-22 | The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote… |
| CVE-2016-4538 | CRITICAL | 9.8 | 2016-05-22 | The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are … |
| CVE-2016-4539 | CRITICAL | 9.8 | 2016-05-22 | The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer un… |
| CVE-2016-4540 | CRITICAL | 9.8 | 2016-05-22 | The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of s… |
| CVE-2016-4541 | CRITICAL | 9.8 | 2016-05-22 | The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of se… |
| CVE-2016-4542 | CRITICAL | 9.8 | 2016-05-22 | The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows r… |
| CVE-2016-4543 | CRITICAL | 9.8 | 2016-05-22 | The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers… |
| CVE-2016-4544 | CRITICAL | 9.8 | 2016-05-22 | The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote at… |
| CVE-2016-6290 | CRITICAL | 9.8 | 2016-07-25 | ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to ca… |
| CVE-2016-6291 | CRITICAL | 9.8 | 2016-07-25 | The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service … |
| CVE-2016-6294 | CRITICAL | 9.8 | 2016-07-25 | The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the IC… |
| CVE-2016-6295 | CRITICAL | 9.8 | 2016-07-25 | ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remot… |
| CVE-2016-6296 | CRITICAL | 9.8 | 2016-07-25 | Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9,… |
| CVE-2016-3078 | CRITICAL | 9.8 | 2016-08-07 | Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application cr… |
| CVE-2016-3132 | CRITICAL | 9.8 | 2016-08-07 | Double free vulnerability in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x before 7.0.6 allows remote attackers to execute arbitrary code via a cr… |
| CVE-2016-5768 | CRITICAL | 9.8 | 2016-08-07 | Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.… |
| CVE-2016-5769 | CRITICAL | 9.8 | 2016-08-07 | Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service … |
| CVE-2016-5772 | CRITICAL | 9.8 | 2016-08-07 | Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attac… |
| CVE-2016-5773 | CRITICAL | 9.8 | 2016-08-07 | php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, whi… |
| CVE-2016-7124 | CRITICAL | 9.8 | 2016-09-12 | ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possib… |
| CVE-2016-7126 | CRITICAL | 9.8 | 2016-09-12 | The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to ca… |
| CVE-2016-7127 | CRITICAL | 9.8 | 2016-09-12 | The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial o… |
| CVE-2016-7129 | CRITICAL | 9.8 | 2016-09-12 | The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possi… |
| CVE-2016-7134 | CRITICAL | 9.8 | 2016-09-12 | ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and hea… |
| CVE-2016-7413 | CRITICAL | 9.8 | 2016-09-17 | Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service … |
| CVE-2016-7414 | CRITICAL | 9.8 | 2016-09-17 | The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attacke… |
| CVE-2016-7417 | CRITICAL | 9.8 | 2016-09-17 | ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attacker… |
| CVE-2016-7568 | CRITICAL | 9.8 | 2016-09-28 | Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause … |
| CVE-2016-8670 | CRITICAL | 9.8 | 2017-01-04 | Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allo… |
| CVE-2016-9137 | CRITICAL | 9.8 | 2017-01-04 | Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service… |
| CVE-2016-9138 | CRITICAL | 9.8 | 2017-01-04 | PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have … |
| CVE-2016-9935 | CRITICAL | 9.8 | 2017-01-04 | The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memor… |
| CVE-2016-9936 | CRITICAL | 9.8 | 2017-01-04 | The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified ot… |
| CVE-2017-5340 | CRITICAL | 9.8 | 2017-01-11 | Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code… |
| CVE-2016-7480 | CRITICAL | 9.8 | 2017-01-11 | The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute ar… |
| CVE-2016-10160 | CRITICAL | 9.8 | 2017-01-24 | Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory c… |
| CVE-2016-4473 | CRITICAL | 9.8 | 2017-06-08 | /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. |
| CVE-2017-11362 | CRITICAL | 9.8 | 2017-07-17 | In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of servi… |
| CVE-2017-12932 | CRITICAL | 9.8 | 2017-08-18 | ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use … |
| CVE-2017-12933 | CRITICAL | 9.8 | 2017-08-18 | The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserial… |
| CVE-2018-7584 | CRITICAL | 9.8 | 2018-03-01 | In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_strea… |
| CVE-2019-7160 | CRITICAL | 9.8 | 2019-01-29 | idreamsoft iCMS 7.0.13 allows admincp.php?app=files ../ Directory Traversal via the udir parameter to files.admincp.php, resulting in execution of arbitrary PHP code from a ZIP fi… |
| CVE-2018-19514 | CRITICAL | 9.8 | 2019-03-21 | In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access admin… |
| CVE-2024-54724 | CRITICAL | 9.8 | 2025-01-09 | PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion. |
| CVE-2018-25357 | CRITICAL | 9.8 | 2026-05-23 | Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name par… |
| CVE-2026-42569 | CRITICAL | 9.4 | 2026-05-09 | phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. T… |
| CVE-2016-1903 | CRITICAL | 9.1 | 2016-01-19 | The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensiti… |
| CVE-2016-5114 | CRITICAL | 9.1 | 2016-08-07 | sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain s… |
| CVE-2017-11147 | CRITICAL | 9.1 | 2017-07-10 | In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially discl… |
| CVE-2024-8016 | CRITICAL | 9.1 | 2024-08-30 | The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'fil… |
| CVE-2016-4342 | HIGH | 8.8 | 2016-05-22 | ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of… |
| CVE-2016-4343 | HIGH | 8.8 | 2016-05-22 | The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause… |
| CVE-2016-6297 | HIGH | 8.8 | 2016-07-25 | Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a d… |
| CVE-2016-5766 | HIGH | 8.8 | 2016-08-07 | Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7… |
| CVE-2016-5767 | HIGH | 8.8 | 2016-08-07 | Integer overflow in the gdImageCreate function in gd.c in the GD Graphics Library (aka libgd) before 2.0.34RC1, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7… |
| CVE-2018-10549 | HIGH | 8.8 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for cra… |
| CVE-2020-11803 | HIGH | 8.8 | 2020-09-17 | An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation serv… |
| CVE-2026-41463 | HIGH | 8.8 | 2026-04-27 | ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions… |
| CVE-2026-7654 | HIGH | 8.8 | 2026-06-05 | The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `un… |
| CVE-2015-8616 | HIGH | 8.6 | 2016-01-19 | Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of s… |
| CVE-2016-5093 | HIGH | 8.6 | 2016-08-07 | The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' char… |
| CVE-2016-5385 | HIGH | 8.1 | 2016-07-19 | PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in… |
| CVE-2016-7133 | HIGH | 8.1 | 2016-09-12 | Zend/zend_alloc.c in PHP 7.x before 7.0.10, when open_basedir is enabled, mishandles huge realloc operations, which allows remote attackers to cause a denial of service (integer o… |
| CVE-2016-7412 | HIGH | 8.1 | 2016-09-17 | ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cau… |
| CVE-2015-4717 | HIGH | 7.8 | 2015-10-21 | The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, … |
| CVE-2016-6289 | HIGH | 7.8 | 2016-07-25 | Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a deni… |
| CVE-2016-5399 | HIGH | 7.8 | 2017-04-21 | The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or … |
| CVE-2017-11628 | HIGH | 7.8 | 2017-07-25 | In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of s… |
| CVE-2013-7456 | HIGH | 7.6 | 2016-08-07 | gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.1.1, as used in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7, allows remote attackers to cause a… |
| CVE-2004-1820 | HIGH | 7.5 | 2004-03-15 | PHP remote file inclusion vulnerability in displaycategory.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary PHP code by modifying the … |
| CVE-2004-1821 | HIGH | 7.5 | 2004-03-15 | SQL injection vulnerability in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to gain privileges or perform unauthorized database operations via the gid paramet… |
| CVE-2006-5904 | HIGH | 7.5 | 2006-11-15 | Multiple PHP remote file inclusion vulnerabilities in MWChat Pro 7.0 allow remote attackers to execute arbitrary PHP code via a URL in the CONFIG[MWCHAT_Libs] parameter to (1) abo… |
| CVE-2007-2201 | HIGH | 7.5 | 2007-04-24 | Multiple PHP remote file inclusion vulnerabilities in Post Revolution 6.6 and 7.0 RC2 allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) co… |
| CVE-2008-2020 | HIGH | 7.5 | 2008-04-30 | The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux … |
| CVE-2009-2112 | HIGH | 7.5 | 2009-06-18 | Directory traversal vulnerability in include/page_bottom.php in phpFK 7.03 allows remote attackers to include and execute arbitrary local files via directory traversal sequences i… |
| CVE-2013-1803 | HIGH | 7.5 | 2014-05-05 | Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to execute arbitrary SQL commands via the (1) orderby parameter to downloads.php; or rem… |
| CVE-2013-7375 | HIGH | 7.5 | 2014-05-05 | SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user… |
| CVE-2014-8596 | HIGH | 7.5 | 2014-11-17 | Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow remote authenticated users to execute arbitrary SQL commands via the (1) submit_id parameter in a 2 action to fi… |
| CVE-2016-4070 | HIGH | 7.5 | 2016-05-20 | Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial… |
| CVE-2016-6128 | HIGH | 7.5 | 2016-08-07 | The gdImageCropThreshold function in gd_crop.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before 7.0.9, allows remote attackers to cause a denial of servi… |
| CVE-2016-7125 | HIGH | 7.5 | 2016-09-12 | ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbi… |
| CVE-2016-7130 | HIGH | 7.5 | 2016-09-12 | The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and … |
| CVE-2016-7131 | HIGH | 7.5 | 2016-09-12 | ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have u… |
| CVE-2016-7132 | HIGH | 7.5 | 2016-09-12 | ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have u… |
| CVE-2016-7416 | HIGH | 7.5 | 2016-09-17 | ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, whic… |
| CVE-2016-7418 | HIGH | 7.5 | 2016-09-17 | The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and o… |
| CVE-2016-9933 | HIGH | 7.5 | 2017-01-04 | Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13… |
| CVE-2016-9934 | HIGH | 7.5 | 2017-01-04 | ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPac… |
| CVE-2016-7478 | HIGH | 7.5 | 2017-01-11 | Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception objec… |
| CVE-2016-10158 | HIGH | 7.5 | 2017-01-24 | The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (app… |
| CVE-2016-10159 | HIGH | 7.5 | 2017-01-24 | Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory c… |
| CVE-2016-10161 | HIGH | 7.5 | 2017-01-24 | The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of servi… |
| CVE-2016-10162 | HIGH | 7.5 | 2017-01-24 | The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereferen… |
| CVE-2015-8994 | HIGH | 7.5 | 2017-03-02 | An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issu… |
| CVE-2016-10397 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as de… |
| CVE-2017-11142 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related … |
| CVE-2017-11144 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could… |
| CVE-2017-11145 | HIGH | 7.5 | 2017-07-10 | In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date stri… |
| CVE-2017-12934 | HIGH | 7.5 | 2017-08-18 | ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zval_get_ty… |
| CVE-2017-16642 | HIGH | 7.5 | 2017-11-07 | In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used b… |
| CVE-2016-10712 | HIGH | 7.5 | 2018-02-09 | In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during fi… |
| CVE-2018-10546 | HIGH | 7.5 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stre… |
| CVE-2018-10548 | HIGH | 7.5 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of ser… |
| CVE-2018-14883 | HIGH | 7.5 | 2018-08-03 | An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_… |
| CVE-2018-14884 | HIGH | 7.5 | 2018-08-03 | An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. Inappropriately parsing an HTTP response leads to a segmentation fault because htt… |
| CVE-2018-15132 | HIGH | 7.5 | 2018-08-07 | An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn… |
| CVE-2018-20783 | HIGH | 7.5 | 2019-02-21 | In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unal… |
| CVE-2021-24981 | HIGH | 7.5 | 2021-12-21 | The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins… |
| CVE-2015-6527 | HIGH | 7.3 | 2016-01-19 | The php_str_replace_in_subject function in ext/standard/string.c in PHP 7.x before 7.0.0 allows remote attackers to execute arbitrary code via a crafted value in the third argumen… |
| CVE-2016-1904 | HIGH | 7.3 | 2016-01-19 | Multiple integer overflows in ext/standard/exec.c in PHP 7.x before 7.0.2 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a long … |
| CVE-2015-8865 | HIGH | 7.3 | 2016-05-20 | The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuat… |
| CVE-2024-7553 | HIGH | 7.3 | 2024-08-07 | Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the a… |
| CVE-2012-2053 | HIGH | 7.2 | 2012-04-05 | The sudoers file in the Linux system configuration in F5 FirePass 6.0.0 through 6.1.0 and 7.0.0 does not require a password for executing commands as root, which allows local user… |
| CVE-2017-15935 | HIGH | 7.2 | 2017-10-27 | Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file. |
| CVE-2018-16320 | HIGH | 7.2 | 2018-09-01 | idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file. |
| CVE-2018-19512 | HIGH | 7.2 | 2019-03-21 | In Webgalamb through 7.0, a system/ajax.php "wgmfile restore" directory traversal vulnerability could lead to arbitrary code execution by authenticated administrator users, becaus… |
| CVE-2016-3185 | HIGH | 7.1 | 2016-05-16 | The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain s… |
| CVE-2004-1818 | MEDIUM | 6.8 | 2004-03-15 | Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary script as other users by injectin… |
| CVE-2008-5335 | MEDIUM | 6.8 | 2008-12-05 | SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the … |
| CVE-2025-68129 | MEDIUM | 6.8 | 2025-12-17 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly… |
| CVE-2013-1806 | MEDIUM | 6.5 | 2014-04-30 | Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02.06 allow remote authenticated users to include and execute arbitrary files via a .. (dot dot) in the (1) use… |
| CVE-2016-6292 | MEDIUM | 6.5 | 2016-07-25 | The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NUL… |
| CVE-2018-5712 | MEDIUM | 6.1 | 2018-01-16 | An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a … |
| CVE-2018-10547 | MEDIUM | 6.1 | 2018-04-29 | An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 an… |
| CVE-2018-17082 | MEDIUM | 6.1 | 2018-09-16 | The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, be… |
| CVE-2014-8597 | MEDIUM | 6.1 | 2022-02-17 | A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin… |
| CVE-2008-1918 | MEDIUM | 6.0 | 2008-04-23 | SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated… |
| CVE-2018-5711 | MEDIUM | 5.5 | 2018-01-16 | gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error… |
| CVE-2018-14851 | MEDIUM | 5.5 | 2018-08-02 | exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial o… |
| CVE-2016-7128 | MEDIUM | 5.3 | 2016-09-12 | The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which all… |
| CVE-2003-1526 | MEDIUM | 5.0 | 2003-12-31 | PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as (1) ", (2) ', or (3) > in the search field, which reveals the path in an error … |
| CVE-2004-1819 | MEDIUM | 5.0 | 2004-03-15 | 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to obtain sensitive information via a direct request to displaycategory.php, which reveals the path in an error m… |
| CVE-2006-2002 | MEDIUM | 5.0 | 2006-04-25 | PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base] parameter. |
| CVE-2013-1807 | MEDIUM | 5.0 | 2014-04-30 | PHP-Fusion before 7.02.06 stores backup files with predictable filenames in an unrestricted directory under the web document root, which might allow remote attackers to obtain sen… |
| CVE-2018-10545 | MEDIUM | 4.7 | 2018-04-29 | An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access control… |
| CVE-2008-6850 | MEDIUM | 4.3 | 2009-07-07 | Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion 6.01.17 and 7.00.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| CVE-2009-4677 | MEDIUM | 4.3 | 2010-03-08 | Cross-site scripting (XSS) vulnerability in search.php in phpFK PHP Forum ohne 7.0.4 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE… |
| CVE-2012-2903 | MEDIUM | 4.3 | 2012-05-21 | Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 7.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to grou… |
| CVE-2012-1912 | MEDIUM | 4.3 | 2012-09-09 | Cross-site scripting (XSS) vulnerability in preferences.php in PHP Address Book 7.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the from paramet… |
| CVE-2012-6043 | MEDIUM | 4.3 | 2012-11-26 | Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. |
| CVE-2013-1955 | MEDIUM | 4.3 | 2013-07-20 | Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php and (2) datePicker.php in Easy PHP Calendar 6.x and 7.x before 7.0.13 allow remote attackers to inject arbitra… |
| CVE-2013-1804 | MEDIUM | 4.3 | 2014-04-29 | Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to f… |
| CVE-2024-50341 | LOW | 3.1 | 2024-11-06 | symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `… |
| CVE-2023-6472 | LOW | 2.4 | 2023-12-02 | A vulnerability, which was classified as problematic, has been found in PHPEMS 7.0. This issue affects some unknown processing of the file app\content\cls\api.cls.php of the compo… |
| CVE-2020-36877 | N/A | — | 2025-12-05 | ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server us… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running PHP 7.0 in 2024 is like leaving your front door unlocked with a sign inviting burglars inside. With 61 critical vulnerabilities and zero ongoing security support, upgrading isn't optional—it's essential. The good news is that modern PHP versions (8.0+) are faster, more secure, and better supported than ever before. Most websites can upgrade with minimal effort and actually see improved performance.
Don't become another breach statistic. Use SiteRecipe.com's free server health scanner to identify all outdated software on your site, including PHP version, plugin vulnerabilities, and SSL certificate status. Our platform provides one-click upgrade assistance and tracks your security posture continuously. Get started today—your website's security depends on it.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.