[Security] CVE-2015-8994 PHP OpCache vulnerability


2017-03-10 14:41:34 UTC


2017-08-18 16:05:56 UTC


Was this article helpful?

Have more questions?

Submit a request

[Security] CVE-2015-8994 PHP OpCache vulnerability

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

General information

The vulnerability was registered on March, 2. It affects installations where PHP-FPM with Zend OpCache is used: a subscription user can include PHP files of the other subscription user and read sensitive variables' values. An application (e.g. WordPress) database credentials can be compromised. Often, full subscription can be compromised.

PHP 7 prior to version 7.0.14 and PHP 5 prior to version 5.6.29 are vulnerable. The older versions are vulnerable too by default, unless opcache.validate_permission is enabled.

For more information, please refer to the following resources:

Vulnerability Summary for CVE-2015-8994 - NIST publication



OPcache README commit


This issue is fixed in:

As a temporary workaround for the issue, go to Websites & Domains > PHP Settings and set opcache.enable to off .

Please also note that such change can decrease server performance.

Have more questions? Submit a request
Please sign in to leave a comment.