    Home /
    Blog /
    PHP 7.2.16
  

Security Advisory

PHP 7.2.16 Security: 6 CVEs & Critical Fixes

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 835 websites still running PHP 7.2.16 → View full list

Total

Critical

High

PHP 7.2.16 is running on approximately 835 active websites worldwide, but this version contains 6 significant security vulnerabilities—including 1 critical flaw that could allow attackers to execute unauthorized access through image file processing. The vulnerabilities primarily affect the EXIF component, which handles metadata from digital photos and images uploaded to your site. If your website hasn't been patched beyond PHP 7.2.16, you're exposing your server and user data to serious security risks that exploit image file handling, filesystem operations, and uninitialized memory reads.

In this guide, we'll explain what these vulnerabilities are, how to check if your site is affected, and provide step-by-step instructions to upgrade and protect your PHP installation. Understanding these risks is crucial for website owners, developers, and system administrators who want to maintain a secure online presence.

What is Php 7.2.16?

PHP 7.2.16 is a server-side programming language version released in March 2019 that powers the backend functionality of millions of websites. Think of it as the engine that runs your website—it processes form submissions, manages databases, handles file uploads, and delivers dynamic content to your visitors. PHP 7.2 was one of the most widely adopted versions of the language before it reached end-of-life, making it common in older WordPress sites, custom applications, and legacy e-commerce platforms.

However, PHP 7.2.16 specifically was released before several critical security patches became available. The version contains multiple flaws in how it processes image files and manages filesystem operations. When you upload a photo or image to a website running this version, the server could improperly handle that file's metadata (EXIF data), potentially exposing sensitive information or allowing attackers to trigger uninitialized memory reads that lead to information disclosure or system compromise.

Key Vulnerabilities in Php 7.2.16

6 CVEs found. The most critical are explained below.

CRITICAL CVE-2019-9641 9.8/10 · CVSS v3.1 ⏱ Immediate

Photo metadata reading causes server crash or exposure

When your website processes photo files, PHP can crash or leak hidden information from the image's metadata. This happens because the software doesn't properly check the data before reading it. Attackers can upload specially crafted photos to trigger this problem.

Impact: Your website could become unavailable, or attackers could extract sensitive information stored in image files without permission.

↗ View on NVD

HIGH CVE-2019-9637 7.5/10 · CVSS v3.0 ⏱ Immediate

File permissions briefly exposed during move operations

When your server moves or renames files between different storage locations, there's a brief moment where file permissions aren't properly set. During this window, unauthorized people could potentially access files they shouldn't see.

Impact: Attackers could read private files like configuration files containing passwords or customer data during the brief window when permissions are incorrect.

↗ View on NVD

HIGH CVE-2019-9638 7.5/10 · CVSS v3.1 ⏱ Immediate

Camera metadata processing causes memory errors

When processing camera-specific metadata embedded in photos, PHP incorrectly handles the relationship between different data values. This causes the software to read from the wrong memory location, which can crash your site or expose data.

Impact: Website crashes or exposure of server memory contents, which could reveal passwords, database information, or other sensitive data.

↗ View on NVD

HIGH CVE-2019-9639 7.5/10 · CVSS v3.1 ⏱ Immediate

Camera metadata processing causes memory data leak

Similar to the previous issue, the PHP photo metadata processor mishandles certain data variables, causing it to read uninitialized memory. Attackers upload malicious photos to trigger this vulnerability.

Impact: Server memory exposure that could leak sensitive information, or website crashes that disrupt service for your visitors.

↗ View on NVD

HIGH CVE-2019-9640 7.5/10 · CVSS v3.1 ⏱ Immediate

JPEG file processing causes invalid memory access

PHP's photo processing component incorrectly reads JPEG file data, accessing memory regions it shouldn't touch. Attackers can upload specially formatted JPEG files to exploit this.

Impact: Website crashes or potential exposure of server memory containing sensitive information like encryption keys or user data.

↗ View on NVD

HIGH CVE-2020-11579 7.5/10 · CVSS v3.1 ⏱ Immediate

Installation file exposes database files to unauthorized access

If you used PHPKB (a knowledge base software) and left installation files in place, attackers could access the installation test script to read your database files without logging in. This affects PHP versions before 7.2.16.

Impact: Complete exposure of your database containing all customer information, passwords, and business data to anyone on the internet.

↗ View on NVD

Is your website running Php 7.2.16?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 835 affected sites

How to Check If Your Website Is Affected

1 Access your web hosting control panel (cPanel, Plesk, etc.) and navigate to the PHP version settings or contact your hosting provider
2 Check your website's PHP version by creating a simple test file with <?php phpinfo(); ?> and uploading it to your server, then visiting it in your browser
3 Use SiteRecipe.com's free vulnerability scanner to automatically detect your PHP version and identify all known CVEs affecting your installation

How to Fix These Vulnerabilities

1 Backup your entire website and database immediately using your hosting control panel or an automated backup tool
2 Update PHP to version 7.2.17 or higher (ideally 7.4+ or 8.x if your applications support it) through your hosting provider's control panel
3 After updating, test your website thoroughly—check that all plugins, themes, and custom code still function correctly with the new PHP version
4 Remove or update any PHP applications that rely on EXIF processing, and verify that image uploads are working properly with the new version

Conclusion

PHP 7.2.16's security vulnerabilities represent a significant risk to your website's integrity and your visitors' data. The critical EXIF processing flaw (CVE-2019-9641) and five additional high-severity vulnerabilities can be exploited through image uploads, filesystem operations, and specially crafted requests—all common attack vectors used by cybercriminals. Upgrading to a patched version is not optional; it's a fundamental requirement for responsible website management.

Don't leave your website vulnerable another day. Use SiteRecipe.com's comprehensive vulnerability scanner to identify all security issues on your site, receive detailed upgrade recommendations, and track your patch compliance over time. Our platform monitors PHP versions, CVEs, and deprecated features, giving you the insights needed to keep your website secure, fast, and compliant. Start your free security audit today and take control of your website's protection.

Frequently Asked Questions

What exactly is the EXIF vulnerability in PHP 7.2.16?

EXIF is metadata embedded in image files (like photos from digital cameras). PHP 7.2.16's EXIF processing component has uninitialized memory read bugs that attackers can trigger by uploading specially crafted image files. This can leak sensitive server information or cause the application to crash, affecting the availability of your website.

Will upgrading PHP break my website?

Most websites upgrade smoothly, but compatibility issues can occur with very old plugins, themes, or custom code. Before upgrading in production, test thoroughly on a staging server. SiteRecipe.com can help identify compatibility issues before you upgrade.

How do I know if my website has been exploited already?

Check your web server logs for unusual image upload activity, look for unexpected file modifications, and monitor for signs of unauthorized access. If concerned, consider hiring a professional security auditor to conduct a forensic analysis of your website.

Is upgrading to the latest PHP version safe?

Yes, upgrading to the latest stable PHP version (8.2 or 8.3) is both safe and recommended. These versions have years of security patches, better performance, and modern features. Your hosting provider can assist with the upgrade process.

Can I stay on PHP 7.2.16 if I disable image uploads?

While disabling image uploads reduces one attack vector, it doesn't protect against other vulnerabilities in this version like CVE-2019-9637 (filesystem rename issues). Full upgrading is the only secure solution.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 835 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com