    Home /
    Blog /
    PHP 7.2.18
  

Security Advisory

PHP 7.2.18 Critical CVE-2019-11036: What You Need to Know

    📅 June 07, 2026
    ·⏱ 5 min read
    ·🔒 SiteRecipe Security Team
  

⚠ 3,552 websites still running PHP 7.2.18 → View full list

Total

Critical

If your website runs PHP 7.2.18, you're sitting on a critical security vulnerability that could expose sensitive data or crash your site. CVE-2019-11036 is a buffer overflow flaw in the EXIF extension that affects thousands of websites worldwide. This vulnerability allows attackers to read beyond allocated memory buffers, potentially accessing confidential information or causing denial of service attacks.

The good news is that this vulnerability is well-documented and relatively straightforward to fix. In this guide, we'll walk you through understanding the threat, checking if you're vulnerable, and implementing the necessary patches to secure your website. Even if you're not technically inclined, we've broken down the process into simple, actionable steps.

What is Php 7.2.18?

PHP 7.2.18 is a server-side scripting language version that powers millions of websites worldwide. It's the backbone of many content management systems, e-commerce platforms, and custom web applications. Think of it as the engine that makes your website dynamic—processing user requests, managing databases, and generating the content you see in your browser.

The EXIF extension is a special component within PHP that reads metadata from image files—things like camera settings, GPS coordinates, and timestamps embedded in photos. This extension is commonly used by websites that allow users to upload images, such as photo galleries, social media platforms, and real estate sites. When PHP processes these image files to extract metadata, the vulnerable code can accidentally read information from areas of computer memory it shouldn't access.

Key Vulnerabilities in Php 7.2.18

1 CVEs found. The most critical are explained below.

CRITICAL CVE-2019-11036 9.1/10 · CVSS v3.1 ⏱ Immediate

PHP Image File Processing Memory Leak Vulnerability

PHP 7.2.18 and earlier versions have a flaw in how they process image metadata (EXIF data from photos). When someone uploads a specially crafted image file to your website, the server can accidentally read data from computer memory that shouldn't be accessible. This could expose sensitive information or crash your website.

Impact: An attacker could steal private information stored in your server's memory (like database credentials or user data) or cause your website to become unavailable by crashing the PHP process. This primarily affects sites that allow users to upload image files.

↗ View on NVD

Is your website running Php 7.2.18?

Scan your site in 30 seconds. Used by 500+ web agencies.

Scan my website — free 📋 See all 3,552 affected sites

How to Check If Your Website Is Affected

1 Log into your website's hosting control panel (cPanel, Plesk, or similar) or use SSH terminal access
2 Run the command: php -v to display your current PHP version number
3 Check if the output shows version 7.2.x (particularly 7.2.18 or earlier) and confirm the EXIF extension is loaded using: php -m | grep exif

How to Fix These Vulnerabilities

1 Back up your entire website and database immediately using your hosting control panel's backup feature
2 Log into your hosting provider's control panel and navigate to the PHP version selector
3 Upgrade to PHP 7.2.19 or higher, or preferably to PHP 7.4+ which receives longer security support
4 After upgrading, test your website thoroughly by visiting key pages and testing forms, uploads, and image galleries to ensure nothing broke

Conclusion

CVE-2019-11036 is a serious threat to websites running PHP 7.2.18, but it's entirely preventable with a timely upgrade. Thousands of site owners have already patched their systems, and you should prioritize this update alongside any other security improvements. Regular security audits and vulnerability scanning should be part of your ongoing website maintenance routine.

Don't leave your website vulnerable to exploitation. Use SiteRecipe.com's free vulnerability scanner to identify outdated software, insecure configurations, and other security risks on your site. Our platform provides step-by-step remediation guidance tailored to your specific website, making it easy to stay ahead of threats like CVE-2019-11036. Start your free security audit today and protect your business from preventable cyberattacks.

Frequently Asked Questions

How serious is CVE-2019-11036 really?

This is rated as CRITICAL, the highest severity level. It could allow attackers to read sensitive data from your server's memory or crash your site entirely. However, it requires specific conditions (processing certain image files) to exploit, so immediate patching is essential but panic isn't necessary—straightforward fixes are available.

Will upgrading PHP break my website?

Most websites upgrade PHP versions without issues, but compatibility problems can occur with older plugins or custom code. This is why we recommend backing up your site first, then testing thoroughly after upgrade. If problems arise, you can usually revert quickly, or a developer can fix compatibility issues.

Can I just disable the EXIF extension instead of upgrading?

Disabling EXIF will prevent exploitation of this specific vulnerability, but it may break functionality for websites that rely on image metadata processing. Upgrading PHP is the proper long-term solution. If you must disable it temporarily, do so only until you can upgrade PHP properly.

Generate white-label reports for your clients

Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.

Free scan Agency plans 📋 3,552 affected sites

DISCLAIMER: This report is based on publicly available CVE data from the National Vulnerability Database (NVD) maintained by NIST. Detection of a technology version does not confirm active exploitation on any specific website. For informational purposes only. SiteRecipe is not responsible for actions taken based on this report. Always consult a qualified security professional.

Source: nvd.nist.gov · Published: June 07, 2026 · SiteRecipe.com