PHP 7.2 reached end-of-life in November 2020, yet approximately 200 websites still run this vulnerable version. Our security research has identified 79 known CVEs affecting PHP 7.2, with 14 classified as critical severity. These vulnerabilities expose your website to remote code execution, memory corruption, and data breaches. This comprehensive guide explains the risks, shows you how to identify if your site is affected, and provides step-by-step instructions to secure your installation.
The most dangerous vulnerabilities in PHP 7.2 include heap buffer overflows in XML-RPC functions, use-after-free errors in EXIF processing, and HTTP stream parsing flaws. Attackers actively exploit these weaknesses to gain unauthorized access to servers, steal sensitive data, and inject malicious code. Many website owners delay upgrading because they fear compatibility issues or lack technical knowledge. However, the security risks of staying on PHP 7.2 far outweigh the effort required to modernize your stack.
PHP 7.2 is a server-side programming language that powers a large portion of the internet, including WordPress, Drupal, and thousands of custom web applications. Released in November 2016, it was designed to improve performance and introduce modern coding features. However, like all software, PHP receives security updates throughout its lifetime to patch newly discovered vulnerabilities. When a version reaches its end-of-life date, developers stop releasing security patches, leaving all remaining users exposed to known threats.
Thinking of PHP 7.2 like an older car model helps clarify the risk: manufacturers stop releasing safety recalls once a vehicle is discontinued. Similarly, PHP 7.2 no longer receives security updates, meaning any new vulnerabilities discovered will never be patched. The 79 CVEs affecting PHP 7.2 represent security holes that attackers know about and can exploit. Running outdated software is one of the most common ways websites get hacked, yet it's also one of the easiest problems to fix.
79 CVEs found. The most critical are explained below.
PHP has a flaw in how it reads data from websites. When downloading content from other servers, PHP can accidentally read more memory than intended, potentially exposing sensitive information or causing the website to crash.
Impact: Attackers could steal confidential data from your server's memory or cause your website to stop working unexpectedly.
↗ View on NVDPHP's photo information reader has a bug where it closes files it shouldn't be closing. If your website processes image uploads or reads photo metadata, attackers can manipulate images to trigger this flaw.
Impact: Your website could crash when processing certain images, or attackers could potentially execute malicious code on your server.
↗ View on NVDIf you're using Umbraco (a content management system), the system doesn't properly block .php file uploads. This means attackers can upload executable programs disguised as other files.
Impact: Attackers can upload and run harmful code on your server, giving them complete control of your website and data.
↗ View on NVDPHP incorrectly handles certain types of XML data, causing it to access invalid memory locations. If your website processes XML feeds or data from external sources, this creates a vulnerability.
Impact: Attackers could crash your website or potentially execute harmful code by sending malformed XML data.
↗ View on NVDPHP's handling of compressed file packages (PHAR format) reads beyond the intended file boundaries. Attackers can craft malicious package files to exploit this.
Impact: Attackers could read sensitive data from your server's memory or crash your website when processing certain file uploads.
↗ View on NVDPHP's multibyte text processing has multiple flaws when handling unusual character encoding. Websites that process international text or user input are at risk.
Impact: Attackers could read sensitive information from server memory or crash your website by submitting specially crafted text.
↗ View on NVDShowing first 10 of 73. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2019-9641 | CRITICAL | 9.8 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. |
| CVE-2020-11546 | CRITICAL | 9.8 | 2020-07-14 | SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit… |
| CVE-2019-11034 | CRITICAL | 9.1 | 2019-04-18 | When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_proc… |
| CVE-2019-11035 | CRITICAL | 9.1 | 2019-04-18 | When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_… |
| CVE-2019-11036 | CRITICAL | 9.1 | 2019-05-03 | When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_proc… |
| CVE-2019-11039 | CRITICAL | 9.1 | 2019-06-19 | Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsi… |
| CVE-2019-11040 | CRITICAL | 9.1 | 2019-06-19 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6… |
| CVE-2026-40484 | CRITICAL | 9.1 | 2026-04-18 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files fro… |
| CVE-2001-1370 | HIGH | 10.0 | 2001-07-21 | prepend.php3 in PHPLib before 7.2d, when register_globals is enabled for PHP, allows remote attackers to execute arbitrary scripts via an HTTP request that modifies $_PHPLIB[libdi… |
| CVE-2018-10549 | HIGH | 8.8 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for cra… |
| CVE-2019-6977 | HIGH | 8.8 | 2019-01-27 | gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7… |
| CVE-2025-10057 | HIGH | 8.8 | 2025-09-17 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the … |
| CVE-2019-11043 | HIGH | 8.7 | 2019-10-28 | In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buf… |
| CVE-2023-45868 | HIGH | 8.1 | 2023-10-26 | The Learning Module in ILIAS 7.25 (2023-09-12 release) allows an attacker (with basic user privileges) to achieve a high-impact Directory Traversal attack on confidentiality and a… |
| CVE-2017-10665 | HIGH | 7.8 | 2017-08-18 | Directory traversal vulnerability in ajaxfileupload.php in Kayson Group Ltd. phpGrid before 7.2.5 allows remote attackers to execute arbitrary code by uploading a crafted file wit… |
| CVE-2004-1932 | HIGH | 7.5 | 2004-04-12 | SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account… |
| CVE-2004-1929 | HIGH | 7.5 | 2004-04-13 | SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base… |
| CVE-2004-2000 | HIGH | 7.5 | 2004-05-05 | SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modul… |
| CVE-2005-3796 | HIGH | 7.5 | 2005-11-24 | Direct static code injection vulnerability in admin_options_manage.php in AlstraSoft Affiliate Network Pro 7.2 allows attackers to execute arbitrary PHP code via the number parame… |
| CVE-2018-10546 | HIGH | 7.5 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stre… |
| CVE-2018-10548 | HIGH | 7.5 | 2018-04-29 | An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of ser… |
| CVE-2018-11222 | HIGH | 7.5 | 2018-06-16 | Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint. |
| CVE-2018-14883 | HIGH | 7.5 | 2018-08-03 | An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_… |
| CVE-2018-14884 | HIGH | 7.5 | 2018-08-03 | An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. Inappropriately parsing an HTTP response leads to a segmentation fault because htt… |
| CVE-2018-15132 | HIGH | 7.5 | 2018-08-07 | An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn… |
| CVE-2018-20783 | HIGH | 7.5 | 2019-02-21 | In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unal… |
| CVE-2019-9022 | HIGH | 7.5 | 2019-02-22 | An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cau… |
| CVE-2019-9024 | HIGH | 7.5 | 2019-02-22 | An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to rea… |
| CVE-2019-9637 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file bein… |
| CVE-2019-9638 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE be… |
| CVE-2019-9639 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE be… |
| CVE-2019-9640 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. |
| CVE-2020-7062 | HIGH | 7.5 | 2020-02-27 | In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_prog… |
| CVE-2020-7067 | HIGH | 7.5 | 2020-04-27 | In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locatio… |
| CVE-2020-11579 | HIGH | 7.5 | 2020-09-03 | An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclo… |
| CVE-2022-27257 | HIGH | 7.5 | 2022-04-15 | A PHP Local File Inclusion vulneraility in the default Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema paramet… |
| CVE-2022-4043 | HIGH | 7.2 | 2023-01-09 | The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Ob… |
| CVE-2019-11041 | HIGH | 7.1 | 2019-08-09 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8… |
| CVE-2019-11042 | HIGH | 7.1 | 2019-08-09 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8… |
| CVE-2007-5914 | MEDIUM | 6.8 | 2007-11-10 | Direct static code injection vulnerability in dirsys/modules/config/post.php in JBC Explorer 7.20 RC1 and earlier allows remote authenticated administrators to inject arbitrary PH… |
| CVE-2009-0441 | MEDIUM | 6.8 | 2009-02-10 | PHP remote file inclusion vulnerability in skin_shop/standard/2_view_body/body_default.php in TECHNOTE 7.2, when register_globals is enabled, allows remote attackers to execute ar… |
| CVE-2013-6386 | MEDIUM | 6.8 | 2013-12-07 | Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security s… |
| CVE-2015-9253 | MEDIUM | 6.5 | 2018-02-19 | An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using p… |
| CVE-2020-7059 | MEDIUM | 6.5 | 2020-02-10 | When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will… |
| CVE-2020-7060 | MEDIUM | 6.5 | 2020-02-10 | When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data th… |
| CVE-2020-7064 | MEDIUM | 6.5 | 2020-04-01 | In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP… |
| CVE-2018-5712 | MEDIUM | 6.1 | 2018-01-16 | An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a … |
| CVE-2018-10547 | MEDIUM | 6.1 | 2018-04-29 | An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 an… |
| CVE-2018-17082 | MEDIUM | 6.1 | 2018-09-16 | The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, be… |
| CVE-2022-27256 | MEDIUM | 6.1 | 2022-04-13 | A PHP Local File inclusion vulnerability in the Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter. |
| CVE-2018-5711 | MEDIUM | 5.5 | 2018-01-16 | gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error… |
| CVE-2018-14851 | MEDIUM | 5.5 | 2018-08-02 | exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial o… |
| CVE-2020-7063 | MEDIUM | 5.5 | 2020-02-27 | In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with def… |
| CVE-2020-7069 | MEDIUM | 5.4 | 2020-10-02 | In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of th… |
| CVE-2019-11038 | MEDIUM | 5.3 | 2019-06-19 | When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19… |
| CVE-2020-7066 | MEDIUM | 5.3 | 2020-04-01 | In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL wi… |
| CVE-2019-11048 | MEDIUM | 5.3 | 2020-05-20 | In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP eng… |
| CVE-2004-1998 | MEDIUM | 5.0 | 2004-05-05 | The Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to gain sensitive information via an invalid show parameter to modules.php, which reveals the full path in… |
| CVE-2005-2289 | MEDIUM | 5.0 | 2005-07-18 | PHPCounter 7.2 allows remote attackers to obtain sensitive information via a direct request to prelims.php, which reveals the path in an error message. |
| CVE-2019-11047 | MEDIUM | 4.8 | 2019-12-23 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possi… |
| CVE-2019-11050 | MEDIUM | 4.8 | 2019-12-23 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possi… |
| CVE-2020-7068 | MEDIUM | 4.8 | 2020-09-09 | In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing … |
| CVE-2018-10545 | MEDIUM | 4.7 | 2018-04-29 | An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access control… |
| CVE-2023-5965 | MEDIUM | 4.7 | 2023-11-30 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execu… |
| CVE-2023-5966 | MEDIUM | 4.7 | 2023-11-30 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary … |
| CVE-2004-1930 | MEDIUM | 4.3 | 2004-04-12 | Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitra… |
| CVE-2004-1999 | MEDIUM | 4.3 | 2004-05-05 | Cross-site scripting (XSS) vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to inject arbitrary HTML and web script via the (1) ttitle or … |
| CVE-2005-2288 | MEDIUM | 4.3 | 2005-07-18 | Cross-site scripting (XSS) vulnerability in PHPCounter 7.2 allows remote attackers to inject arbitrary web script or HTML via the EpochPrefix parameter. |
| CVE-2020-7070 | MEDIUM | 4.3 | 2020-10-02 | In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead … |
| CVE-2019-11044 | LOW | 3.7 | 2019-12-23 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byt… |
| CVE-2019-11045 | LOW | 3.7 | 2019-12-23 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. … |
| CVE-2019-11046 | LOW | 3.7 | 2019-12-23 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocat… |
| CVE-2025-34121 | N/A | — | 2025-07-16 | An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbi… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
PHP 7.2's 79 vulnerabilities—especially the 14 critical flaws—pose an unacceptable security risk to your website and your visitors' data. Upgrading to a supported PHP version is the single most important step you can take to protect against active exploitation. The longer you delay, the greater the risk of a successful breach that could compromise customer information, inject malware, or bring your site offline. Most upgrades are seamless and take less than an hour to complete, making the effort minimal compared to the massive security benefit.
Don't let your website remain vulnerable. Use SiteRecipe.com's free security scanner to identify all outdated technologies on your site, get personalized upgrade recommendations, and track your progress toward a secure, modern web presence. Our platform provides clear guidance for each vulnerability, helping you prioritize fixes and implement them confidently. Start your free security audit today and join hundreds of website owners who've already eliminated their PHP 7.2 vulnerabilities.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.