    Home /
    Blog /
    PHP 7.2.17
  

Security Advisory

PHP 7.2.17 Critical Vulnerabilities: 928 Sites at Risk

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 928 websites still running PHP 7.2.17 → View full list

Total

Critical

PHP 7.2.17 is running on 928 websites worldwide, but it contains two critical security vulnerabilities that could expose your site to serious attacks. These flaws exist in the EXIF extension—a common tool used to read image metadata—and can allow attackers to access sensitive information or crash your server. If your website uses PHP 7.2.17, this is a critical security issue that demands immediate attention.

The two vulnerabilities, CVE-2019-11034 and CVE-2019-11035, both involve buffer overflow attacks in the EXIF processing functions. When your server processes certain malicious image files, an attacker can read data beyond the allocated memory buffer, potentially exposing confidential information or causing your site to crash. Even if you think your site isn't targeted, automated scanning tools continuously probe servers for these exact vulnerabilities.

This guide walks you through understanding these vulnerabilities, checking if your site is affected, and implementing fixes to protect your website and users.

What is Php 7.2.17?

PHP 7.2.17 is a server-side programming language that powers millions of websites. It's installed on web servers and handles the behind-the-scenes logic that makes websites function—processing forms, accessing databases, and generating the pages you see in your browser. PHP 7.2.17 specifically is an older version released in May 2018, and many websites still run it because updating can seem complicated or risky.

The EXIF extension mentioned in these vulnerabilities is a PHP tool that reads metadata from image files—think of it as extracting the invisible information stored inside photos, like the camera model or date taken. Most websites that handle image uploads (like portfolio sites, e-commerce stores, or social platforms) use this extension. When PHP 7.2.17's EXIF functions process certain specially crafted images, they can malfunction and expose sensitive server data or crash entirely.

Key Vulnerabilities in Php 7.2.17

2 CVEs found. The most critical are explained below.

CRITICAL CVE-2019-11034 9.1/10 · CVSS v3.1 ⏱ Immediate

PHP Photo File Reader Memory Leak

PHP has a flaw in how it reads photo metadata (EXIF data) from image files. When someone uploads a specially crafted photo, the software can accidentally read memory it shouldn't access. This is like leaving a door open in your filing cabinet that lets people peek at confidential files.

Impact: An attacker could cause your website to crash or steal sensitive information from your server's memory, potentially exposing customer data or database information.

↗ View on NVD

CRITICAL CVE-2019-11035 9.1/10 · CVSS v3.1 ⏱ Immediate

PHP Photo Metadata Processing Memory Flaw

Similar to the first issue, PHP incorrectly handles photo metadata in another part of the code. A malicious image file can trick the system into reading beyond safe memory boundaries. This creates an unguarded window into your server's private information.

Impact: Your website could crash unexpectedly or sensitive server data could be exposed to attackers who upload specially designed images.

↗ View on NVD

Is your website running Php 7.2.17?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 928 affected sites

How to Check If Your Website Is Affected

1 Log into your hosting control panel (cPanel, Plesk, or your provider's dashboard) and navigate to the PHP settings or information section
2 Look for your current PHP version number—if it shows 7.2.17 or any 7.2.x version below 7.2.17, your site is vulnerable
3 Alternatively, create a simple text file with <?php phpinfo(); ?> on your server, open it in your browser, and check the PHP Version row

How to Fix These Vulnerabilities

1 Backup your entire website and database immediately—this protects you if something goes wrong during the update process
2 Contact your hosting provider or log into your control panel and upgrade PHP to version 7.4, 8.0, or higher (7.2.17 is end-of-life and no longer receives security updates)
3 Test your website thoroughly after upgrading—check all forms, image uploads, database queries, and plugins to ensure everything works correctly
4 If problems occur, your hosting provider can usually roll back to your previous version; once confirmed working, delete your backup to save storage space

Conclusion

PHP 7.2.17 vulnerabilities are not theoretical threats—928 websites are currently exposed, and cybercriminals actively scan for these exact flaws. The good news is that upgrading takes hours, not days, and modern PHP versions are faster and more secure than older ones. Your website's performance and your users' safety depend on keeping your server software current.

Don't wait for a breach to force your hand. Use SiteRecipe.com's website security monitoring tools to automatically detect outdated software, vulnerability exposure, and security gaps on your site. Our platform scans your PHP version, checks for known CVEs, and alerts you before hackers find them. Start a free security audit on SiteRecipe.com today and take control of your site's safety.

Frequently Asked Questions

What happens if I don't upgrade from PHP 7.2.17?

Your site remains vulnerable to automated attacks that exploit these EXIF vulnerabilities. Attackers could crash your server, steal sensitive information, or use your server to launch attacks on other sites. Additionally, no security patches are released for PHP 7.2.17 anymore—you're essentially running unprotected software.

Will upgrading PHP break my website?

Most websites upgrade smoothly, but older plugins or custom code might have compatibility issues. This is why backing up and testing are essential. Your hosting provider can roll back if needed, and they often assist with upgrades. Modern PHP versions are designed to maintain backward compatibility while adding security.

Does every website need the EXIF extension enabled?

No. If your website doesn't process images or extract image metadata, you can disable the EXIF extension entirely in your PHP configuration. However, upgrading PHP is the safest solution since newer versions have these vulnerabilities patched and provide better overall security.

How can SiteRecipe.com help with this vulnerability?

SiteRecipe.com continuously scans your website for outdated software, known CVEs, and security weaknesses. Our platform identifies vulnerable PHP versions like 7.2.17 and alerts you immediately, helping you stay ahead of threats before attackers exploit them.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 928 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com