PHP 7.2.13 is a widely-used server-side programming language powering countless websites worldwide. However, security researchers have identified a critical vulnerability in this version that puts your website at risk. CVE-2018-20783 is a HIGH severity buffer over-read flaw in PHAR reading functions that could allow attackers to access sensitive data from your server's memory. With 262 websites still running this vulnerable version, understanding and patching this issue is essential for protecting your digital assets.
Buffer over-read vulnerabilities are particularly dangerous because they allow attackers to read memory beyond the intended boundaries of a file. In PHP 7.2.13, this weakness exists in the PHAR (PHP Archive) reading mechanism, which is commonly used for distributing PHP applications. If your website processes untrusted .phar files, this vulnerability could be exploited to extract confidential information like database credentials, API keys, or user data stored in memory.
This guide will walk you through identifying whether your website is vulnerable, understanding the risks, and implementing the necessary fixes to secure your PHP installation.
What is Php 7.2.13?
PHP 7.2.13 is a specific version of PHP, a server-side programming language that creates the dynamic content you see on websites. Think of PHP as the engine that powers websites—it runs on your web server and generates web pages based on user requests. Version 7.2.13 was released in December 2018 and has been used by thousands of websites for handling everything from user logins to processing payments and managing content databases.
Every software version, including PHP 7.2.13, can contain security vulnerabilities—weaknesses that hackers can exploit to gain unauthorized access or steal information. These vulnerabilities are tracked and assigned CVE (Common Vulnerabilities and Exposures) numbers. PHP 7.2.13 contains one HIGH severity vulnerability (CVE-2018-20783) that affects how the server reads and processes archived files. Understanding your PHP version and keeping it updated is one of the most important aspects of website security that many website owners overlook.
Key Vulnerabilities in Php 7.2.13
1 CVEs found. The most critical are explained below.
HIGHCVE-2018-207837.5/10 · CVSS v3.0
⏱ Immediate
PHP Security Flaw Allows Reading Sensitive Server Data
PHP 7.2.13 and earlier versions contain a security weakness in how they read certain file types (.phar files). An attacker could exploit this to peek at sensitive information stored in your server's memory, including database passwords, user data, or private keys. This happens automatically if someone tricks your site into processing a malicious file.
Impact: An attacker could steal confidential data from your server including customer information, authentication credentials, or business data. This could lead to data breaches, compliance violations, and loss of customer trust.
1Log into your web hosting control panel (cPanel, Plesk, or your provider's interface) and navigate to the PHP version settings or Software section.
2Look for your current PHP version number—it will be displayed as something like '7.2.13' or similar. Note the exact version number.
3Alternatively, create a simple PHP file with the code '<?php phpinfo(); ?>' in your website's root directory, upload it, and visit it in your browser to see the exact PHP version displayed at the top of the page.
How to Fix These Vulnerabilities
1Immediately back up your entire website and database before making any changes. Most hosting providers offer one-click backup options through your control panel.
2Log into your hosting control panel and navigate to the PHP Version selector. Change your PHP version from 7.2.13 to either 7.2.26 or higher (if you must stay on 7.2.x) or upgrade to PHP 7.4, 8.0, or higher for better security and performance.
3After upgrading, test your website thoroughly by visiting different pages, checking forms, and testing any critical functionality like payments or user logins to ensure nothing broke during the upgrade.
4Delete or rename the phpinfo.php file you created earlier (if you created one), as it can be a security risk if left on your server. Monitor your website logs for any errors and contact your hosting provider if you encounter issues.
Conclusion
PHP 7.2.13 is vulnerable to CVE-2018-20783, a HIGH severity buffer over-read attack that could expose sensitive data from your server's memory. While this vulnerability requires specific conditions to exploit (typically accessing malicious .phar files), the risk is significant enough that updating should be a priority. The good news is that upgrading PHP is typically straightforward with most modern hosting providers offering one-click version switchers, and the process usually takes just minutes.
Don't let your website remain vulnerable to known exploits. Use SiteRecipe.com's comprehensive vulnerability scanner to instantly identify all security weaknesses in your website's technology stack, including outdated PHP versions and missing security patches. Our platform automatically tracks CVEs, prioritizes fixes by severity, and provides step-by-step remediation guidance. Start protecting your website today with a free security scan at SiteRecipe.com—because website security shouldn't be complicated.
Frequently Asked Questions
What is a buffer over-read vulnerability?
A buffer over-read occurs when software reads more data from memory than it should, potentially exposing information beyond the intended boundaries. In CVE-2018-20783, an attacker could craft a malicious .phar file that tricks PHP into reading adjacent memory locations, revealing sensitive data like passwords, API keys, or user information that happens to be stored nearby in the server's RAM.
How severe is CVE-2018-20783 for my website?
The severity depends on whether your website processes .phar files from untrusted sources. If your site only uses internally-created or verified .phar files, the risk is lower. However, it's classified as HIGH severity because the potential impact includes information disclosure, and any unpatched vulnerability is a security liability. Upgrading PHP is the safest approach.
Will upgrading PHP break my website?
Most websites upgrade PHP without issues, especially when moving from 7.2.x to a newer 7.x version. However, older custom code or poorly-maintained plugins may have compatibility issues. Always back up your site first, upgrade PHP, and thoroughly test your website before considering the upgrade complete. Your hosting provider's support team can help troubleshoot any problems.
Can I stay on PHP 7.2 safely?
PHP 7.2 reached official end-of-life in November 2020, meaning it no longer receives security updates. While upgrading to PHP 7.2.26 or later patches this specific CVE, you're vulnerable to future undiscovered flaws. We strongly recommend upgrading to PHP 7.4+ or PHP 8.x for security, performance, and modern features.
How does SiteRecipe.com help with this?
SiteRecipe.com automatically scans your website's technology stack, detects outdated versions like PHP 7.2.13, and alerts you to associated CVEs. Our platform provides clear upgrade recommendations, priority scoring, and guides to help you stay secure. We make vulnerability management effortless so you can focus on your business.
Generate white-label reports for your clients
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.
DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability
Database (NVD) maintained by NIST. Detection of a technology version does not confirm active
exploitation on any specific website. For informational purposes only.
SiteRecipe is not responsible for actions taken based on this report.
Always consult a qualified security professional.