PHP 7.1.28 contains two critical vulnerabilities in its EXIF extension that could expose sensitive information or crash your website. These vulnerabilities affect hundreds of active websites, making this a serious security concern that demands immediate attention. If your site runs PHP 7.1.28 or earlier versions in the 7.1.x branch, you could be at risk right now.
This comprehensive guide will help you understand these vulnerabilities, identify if your website is affected, and provide step-by-step instructions to protect your site. Taking action immediately is crucial to prevent potential data breaches and system failures.
What is Php 7.1.28?
PHP 7.1.28 is a server-side programming language used to power millions of websites worldwide. It handles the backend logic that makes websites function—processing user data, managing databases, and generating dynamic content. Think of it as the engine that runs your website behind the scenes. Most content management systems like WordPress, Drupal, and Joomla rely on PHP to operate.
The EXIF extension is a specific feature within PHP designed to read image metadata—the hidden information embedded in photos like camera type, date taken, and GPS location. Web developers use this to extract image details automatically. However, when EXIF processes certain malformed image files, it can accidentally read data beyond its allocated memory space, creating a security hole.
Key Vulnerabilities in Php 7.1.28
2 CVEs found. The most critical are explained below.
PHP 7.1.28 and earlier versions have a bug when reading photo metadata (EXIF data). An attacker can upload a specially crafted image file that causes the server to read data from memory it shouldn't access. This could expose sensitive information or crash your website.
Impact: A hacker could steal private data from your server's memory or cause your website to go offline by uploading a malicious image file.
Similar to the first issue, PHP 7.1.28 and earlier has another bug in how it processes image metadata. A crafted file can trick the server into accessing memory locations it shouldn't, potentially leaking sensitive information or causing crashes.
Impact: An attacker could extract confidential data from your server or make your website unavailable by uploading a specially designed image.
1Log into your web hosting control panel or server dashboard and navigate to the PHP version settings or system information page
2Look for your current PHP version number—you're checking for versions 7.1.x below 7.1.28, or 7.2.x below 7.2.17, or 7.3.x below 7.3.4
3If you find you're using one of these vulnerable versions, document it immediately and proceed to the fix guide below
How to Fix These Vulnerabilities
1Contact your hosting provider's support team and request an upgrade to PHP 7.1.28 or higher (preferably PHP 7.4+ or PHP 8.x for better security and performance)
2If you manage your own server, download the latest stable PHP version from php.net and follow the installation guide specific to your operating system
3After upgrading, test your website thoroughly—check all forms, image uploads, database queries, and critical features to ensure nothing broke during the update
4Verify the upgrade by checking your PHP version again through your control panel or running phpinfo() to confirm you're no longer running a vulnerable version
Conclusion
These two critical EXIF vulnerabilities in PHP 7.1.28 represent a genuine threat to your website's security and stability. The good news is that upgrading PHP is straightforward and significantly improves not just security, but also website performance and compatibility with modern web standards. Waiting to address these vulnerabilities puts your site and users' data at unnecessary risk.
Don't let your website remain exposed to critical threats. Use SiteRecipe.com's comprehensive security scanner to automatically detect vulnerable versions, outdated plugins, and other security issues affecting your site. Our platform provides actionable recommendations and helps you prioritize fixes based on severity. Start your free security audit today and take control of your website's protection.
Frequently Asked Questions
Can these vulnerabilities be exploited remotely?
Yes, an attacker can exploit these vulnerabilities by uploading specially crafted image files to your website. The EXIF extension will process the malformed file, read past allocated memory, and potentially leak sensitive information or cause your site to crash. This is why updating immediately is critical.
Will upgrading PHP break my website?
Most websites upgrade to newer PHP versions without issues, especially when jumping from 7.1 to modern versions. However, older custom code or legacy plugins might need updates. Test your site thoroughly after upgrading, and contact your hosting provider if you encounter problems—they can usually help resolve compatibility issues quickly.
What if I'm using a content management system like WordPress?
WordPress and other CMS platforms run on top of PHP, so upgrading your server's PHP version automatically protects your entire site. Most modern WordPress versions support PHP 7.4 and newer. Check your theme and plugin compatibility before upgrading to ensure everything works smoothly with the new PHP version.
Are there any temporary workarounds if I can't upgrade immediately?
While upgrading is the proper solution, you can temporarily reduce risk by disabling EXIF processing if you don't need image metadata, restricting file uploads to trusted users, and implementing a Web Application Firewall (WAF) to filter malicious requests. However, these are only temporary measures—upgrade as soon as possible for complete protection.
Generate white-label reports for your clients
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability
Database (NVD) maintained by NIST. Detection of a technology version does not confirm active
exploitation on any specific website. For informational purposes only.
SiteRecipe is not responsible for actions taken based on this report.
Always consult a qualified security professional.