PHP 7.3 is a widely-used server-side programming language that powers countless websites around the world. However, security researchers have discovered 80 documented vulnerabilities in this version, including 11 critical flaws that could allow attackers to compromise your entire website. If you're running PHP 7.3, your site may be at serious risk of data breaches, unauthorized access, and malware injection.
With 237 websites still actively using this vulnerable version, cybercriminals are actively targeting these installations. The critical vulnerabilities range from memory corruption issues to arbitrary file execution, all of which can have devastating consequences for your business. This comprehensive guide will help you understand these threats and take immediate action to secure your website.
PHP 7.3 is a server-side scripting language that runs on your web hosting server to generate dynamic website content. It processes requests from visitors' browsers and communicates with databases to deliver personalized experiences. Most WordPress sites, e-commerce platforms, and custom web applications rely on PHP to function. Think of it as the engine that powers your website behind the scenes.
PHP versions require regular updates because security researchers constantly discover weaknesses in the code. These vulnerabilities are like unlocked doors in your digital home—attackers can slip through them to steal data, install malware, or take control of your website. PHP 7.3, released in 2018, is now outdated and no longer receives security patches, making it increasingly dangerous to use in production environments.
80 CVEs found. The most critical are explained below.
PHP has a bug in how it processes XML data that could allow attackers to access sensitive information from your server's memory. This happens when malformed XML data is sent to your website.
Impact: Attackers could read private data stored in your server's memory, including passwords, database information, or user data.
↗ View on NVDPHP has a vulnerability in how it reads certain file types (PHAR files) that allows attackers to read data from memory beyond what they should access. This occurs when processing specially crafted files.
Impact: Attackers could extract confidential information from your server's memory by uploading or processing malicious files.
↗ View on NVDPHP's text handling functions have multiple bugs that expose server memory when processing certain types of text data. Attackers can trigger these issues by sending specially formatted text to your website.
Impact: Sensitive server data could be leaked, including authentication tokens, API keys, or customer information stored in memory.
↗ View on NVDPHP 7.3 has a critical bug in its text splitting function that causes it to write data to wrong memory locations when processing certain text formats. This could crash your site or allow code execution.
Impact: Your website could crash, malfunction, or attackers could execute malicious code on your server.
↗ View on NVDPHP has a bug when reading metadata from image files (EXIF data) that causes it to access uninitialized memory. Attackers can exploit this by uploading specially crafted images.
Impact: Attackers could leak server memory contents or crash your website by uploading malicious images.
↗ View on NVDIf you used Gazie software, the installation file remains accessible after setup completes, allowing anyone to re-run the installer without permission. This file can be manipulated to include and execute arbitrary PHP files.
Impact: Attackers can gain complete control of your website and server by re-running the installer and including malicious files.
↗ View on NVDShowing first 10 of 74. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2019-11034 | CRITICAL | 9.1 | 2019-04-18 | When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_proc… |
| CVE-2019-11035 | CRITICAL | 9.1 | 2019-04-18 | When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_… |
| CVE-2019-11036 | CRITICAL | 9.1 | 2019-05-03 | When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_proc… |
| CVE-2019-11039 | CRITICAL | 9.1 | 2019-06-19 | Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsi… |
| CVE-2019-11040 | CRITICAL | 9.1 | 2019-06-19 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6… |
| CVE-2019-6977 | HIGH | 8.8 | 2019-01-27 | gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7… |
| CVE-2019-11043 | HIGH | 8.7 | 2019-10-28 | In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buf… |
| CVE-2019-9675 | HIGH | 8.1 | 2019-03-11 | An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor … |
| CVE-2025-32668 | HIGH | 8.1 | 2025-04-10 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allow… |
| CVE-2025-14359 | HIGH | 8.1 | 2026-01-08 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine allows PHP Local File Inclusion. Th… |
| CVE-2021-21703 | HIGH | 7.8 | 2021-10-25 | In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worke… |
| CVE-2004-2044 | HIGH | 7.5 | 2004-06-01 | PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP … |
| CVE-2004-2018 | HIGH | 7.5 | 2004-12-31 | PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to refere… |
| CVE-2004-2295 | HIGH | 7.5 | 2004-12-31 | SQL injection vulnerability in the Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to execute arbitrary SQL commands via the order parameter. |
| CVE-2010-4914 | HIGH | 7.5 | 2011-10-08 | PHP remote file inclusion vulnerability in tools/phpmailer/class.phpmailer.php in PHP Classifieds 7.3 allows remote attackers to execute arbitrary PHP code via a URL in the lang_p… |
| CVE-2018-19935 | HIGH | 7.5 | 2018-12-07 | ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in th… |
| CVE-2019-9022 | HIGH | 7.5 | 2019-02-22 | An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cau… |
| CVE-2019-9024 | HIGH | 7.5 | 2019-02-22 | An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to rea… |
| CVE-2019-9637 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file bein… |
| CVE-2019-9638 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE be… |
| CVE-2019-9639 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE be… |
| CVE-2019-9640 | HIGH | 7.5 | 2019-03-09 | An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. |
| CVE-2019-19246 | HIGH | 7.5 | 2019-11-25 | Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. |
| CVE-2020-7062 | HIGH | 7.5 | 2020-02-27 | In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_prog… |
| CVE-2020-7067 | HIGH | 7.5 | 2020-04-27 | In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locatio… |
| CVE-2024-52301 | HIGH | 7.5 | 2024-11-12 | Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to chang… |
| CVE-2025-32150 | HIGH | 7.5 | 2025-04-04 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allow… |
| CVE-2025-47508 | HIGH | 7.5 | 2025-05-07 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ruben Garcia GamiPress gamipress allows PHP Local File Inc… |
| CVE-2020-7065 | HIGH | 7.4 | 2020-04-01 | In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-a… |
| CVE-2021-21979 | HIGH | 7.3 | 2021-03-03 | In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the… |
| CVE-2024-7553 | HIGH | 7.3 | 2024-08-07 | Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the a… |
| CVE-2025-64500 | HIGH | 7.3 | 2025-11-12 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP … |
| CVE-2025-13145 | HIGH | 7.2 | 2025-11-19 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to des… |
| CVE-2019-11041 | HIGH | 7.1 | 2019-08-09 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8… |
| CVE-2019-11042 | HIGH | 7.1 | 2019-08-09 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8… |
| CVE-2008-0560 | MEDIUM | 6.8 | 2008-02-04 | PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a U… |
| CVE-2015-9253 | MEDIUM | 6.5 | 2018-02-19 | An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using p… |
| CVE-2019-11049 | MEDIUM | 6.5 | 2019-12-23 | In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3… |
| CVE-2020-7059 | MEDIUM | 6.5 | 2020-02-10 | When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will… |
| CVE-2020-7060 | MEDIUM | 6.5 | 2020-02-10 | When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data th… |
| CVE-2020-7061 | MEDIUM | 6.5 | 2020-02-27 | In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read… |
| CVE-2020-7064 | MEDIUM | 6.5 | 2020-04-01 | In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP… |
| CVE-2026-1317 | MEDIUM | 6.5 | 2026-02-18 | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient… |
| CVE-2026-24739 | MEDIUM | 6.3 | 2026-01-28 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process c… |
| CVE-2025-58092 | MEDIUM | 6.1 | 2026-01-20 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead t… |
| CVE-2025-58093 | MEDIUM | 6.1 | 2026-01-20 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead t… |
| CVE-2020-7063 | MEDIUM | 5.5 | 2020-02-27 | In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with def… |
| CVE-2020-7069 | MEDIUM | 5.4 | 2020-10-02 | In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of th… |
| CVE-2019-11038 | MEDIUM | 5.3 | 2019-06-19 | When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19… |
| CVE-2020-7066 | MEDIUM | 5.3 | 2020-04-01 | In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL wi… |
| CVE-2019-11048 | MEDIUM | 5.3 | 2020-05-20 | In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP eng… |
| CVE-2020-7071 | MEDIUM | 5.3 | 2021-02-15 | In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invali… |
| CVE-2021-21702 | MEDIUM | 5.3 | 2021-02-15 | In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed… |
| CVE-2021-21706 | MEDIUM | 5.3 | 2021-10-04 | In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside t… |
| CVE-2021-21707 | MEDIUM | 5.3 | 2021-11-29 | In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. I… |
| CVE-2022-1613 | MEDIUM | 5.3 | 2022-09-26 | The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-… |
| CVE-2004-2019 | MEDIUM | 5.0 | 2004-12-31 | The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error … |
| CVE-2004-2296 | MEDIUM | 5.0 | 2004-12-31 | The preview_review function in the Reviews module in PHP-Nuke 6.0 to 7.3, when running on Windows systems, allows remote attackers to obtain sensitive information via an invalid d… |
| CVE-2004-2297 | MEDIUM | 5.0 | 2004-12-31 | The Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large, out-of-range score parameter. |
| CVE-2014-9016 | MEDIUM | 5.0 | 2014-11-24 | The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial o… |
| CVE-2021-21704 | MEDIUM | 5.0 | 2021-10-04 | In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various … |
| CVE-2019-11047 | MEDIUM | 4.8 | 2019-12-23 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possi… |
| CVE-2019-11050 | MEDIUM | 4.8 | 2019-12-23 | When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possi… |
| CVE-2020-7068 | MEDIUM | 4.8 | 2020-09-09 | In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing … |
| CVE-2026-40301 | MEDIUM | 4.7 | 2026-04-17 | DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text con… |
| CVE-2004-2020 | MEDIUM | 4.3 | 2004-12-31 | Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 6.x through 7.3 allow remote attackers to inject arbitrary HTML or web script into the (1) optionbox parameter in t… |
| CVE-2004-2293 | MEDIUM | 4.3 | 2004-12-31 | Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.0 to 7.3 allow remote attackers to inject arbitrary web script or HTML via the (1) eid parameter or (2) query par… |
| CVE-2004-2294 | MEDIUM | 4.3 | 2004-12-31 | Canonicalize-before-filter error in the send_review function in the Reviews module for PHP-Nuke 6.0 to 7.3 allows remote attackers to inject arbitrary web script or HTML via hex-e… |
| CVE-2020-7070 | MEDIUM | 4.3 | 2020-10-02 | In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead … |
| CVE-2021-21705 | MEDIUM | 4.3 | 2021-10-04 | In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter,… |
| CVE-2019-11044 | LOW | 3.7 | 2019-12-23 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byt… |
| CVE-2019-11045 | LOW | 3.7 | 2019-12-23 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. … |
| CVE-2019-11046 | LOW | 3.7 | 2019-12-23 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocat… |
| CVE-2024-12300 | LOW | 3.7 | 2024-12-13 | The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in a… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
The 80 vulnerabilities found in PHP 7.3—particularly the 11 critical flaws—represent a serious security threat to your website and your users' data. These aren't theoretical vulnerabilities; attackers are actively exploiting outdated PHP versions to breach websites every single day. Upgrading to a current, supported PHP version is not optional—it's essential cybersecurity maintenance that protects your business reputation and legal compliance.
Don't wait until your website is compromised. Use SiteRecipe.com's vulnerability scanner to identify all security weaknesses on your site, monitor your PHP version in real-time, and receive automated alerts when updates are available. Our platform helps you stay ahead of threats and maintain the highest security standards. Start your free security audit today at SiteRecipe.com and take control of your website's safety.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.