Security
PHP Security Flaws: Update Now to Fix Critical
By Steven | TrustYourWebsite2 min read
Source: CERT-FR
France's national cybersecurity agency has issued a warning about serious security flaws in widely used web software. According to CERT-FR (Agence nationale de la sécurité des systèmes d'information), advisory CERTFR-2026-AVI-0553 published on 11 May 2026 identifies multiple vulnerabilities in PHP versions 8.2.x, 8.3.x, 8.4.x and 8.5.x.
What is PHP and why does it matter?
PHP is the programming language that powers a large portion of the web, including popular platforms like WordPress, WooCommerce and many booking or contact form tools. If your website runs on one of these platforms, there is a good chance PHP is running underneath it.
What vulnerabilities were found?
According to the CERT-FR advisory, the flaws include:
- Remote denial of service - an attacker could make your website or server unavailable
- SQL injection (SQLi) - an attacker could potentially access or manipulate data stored in your website's database
- Reflected cross-site scripting (XSS) - an attacker could inject malicious code that runs in a visitor's browser
- Additional unspecified risks - the vendor has noted further risks that have not been fully detailed
These vulnerabilities affect PHP versions prior to 8.2.31, 8.3.31, 8.4.21 and 8.5.6.
What should you do?
According to CERT-FR, the fix is to update PHP to one of the patched versions: 8.2.31, 8.3.31, 8.4.21 or 8.5.6. The agency advises referring to the vendor's own security bulletins for each version to apply the correct patches.
If you manage your own server or hosting environment, check which PHP version you are running and update it as soon as possible. If your website is managed by a developer or hosting provider, forward this article to them and ask them to confirm your PHP version is up to date.
You can also use our security checklist for small businesses to review your broader website security, and check our guide on vulnerable plugins if you use WordPress.
What does this mean for your website?
If your website runs on PHP (which includes most WordPress, WooCommerce and CMS-based sites), this advisory applies to you directly. Keeping your PHP version updated is one of the most straightforward steps you can take to protect your customers' data and keep your site running. Ask your web developer or hosting provider to confirm your current PHP version and apply any available updates.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
Security
Linux Kernel Dirty Frag Vulnerability Patched
A Linux kernel vulnerability named 'Dirty Frag', enabling local privilege escalation to superuser, was publicly disclosed on 7 May after an embargo was broken by third parties.
2 min read
Security
Exim CVE-2026-45185 Vulnerability: CERT-FR Advisory
CERT-FR published advisory CERTFR-2026-AVI-0589 on 13 May 2026 disclosing a vulnerability in Exim versions 4.97 and later up to (but not including) 4.99.3, referenced as CVE-2026-45185.
2 min read
Security
Spring 2026 web security roundup: what changed in 6 weeks
SPIP, Spring, NGINX, cPanel, Let's Encrypt, MD5, Windows worm CVEs and a WordPress backdoor — a grounded recap of late April to mid May 2026.
4 min read