The CVE is a dictionary of vulnerabilities maintained by the MITRE Corp. A unique identifier is associated to security vulnerabilities found for reference. The full database can be downloaded or searched online.
One can query the database for keywords (e.g. PHP) and dates. It is a little bit crude:
there may be PHP-related vulnerabilities without the PHP keyword in them, say a bug in the PCRE library may affect PHP
some vulnerabilities may have the keyword without being directly related to PHP, for instance it can be an issue in the AJAX used by the PHP project.
a vulnerability report may aggregate many vulnerabilities or they may be scattered into several reports.
However a quick manual check through the search results show that the returned vulnerabilities are indeed mostly related to PHP, so although the precision may not be down to the percent, the overall picture and trend are sincere.
On the whole database, about 29% of vulnerabilities (CVE) are related to PHP, although about 18% of products (CPE) are related to PHP.
Data generated on 2013-04-01:
year php cve pc 2013 95 1226 7.7% 2012 969 5289 18.3% 2011 802 4150 19.3% 2010 1155 4639 24.9% 2009 2128 5732 37.1% 2008 2218 5632 39.4% 2007 2594 6516 39.8% 2006 3142 6608 47.5% 2005 1501 4932 30.4% 2004 507 2451 20.7% 2003 204 1527 13.4% 2002 245 2156 11.4% 2001 98 1677 5.8% 2000 21 1020 2.1% 1999 5 894 0.6% 1998 0 246 0.0% 1997 5 252 2.0% 1996 1 75 1.3%
The network access vector shows that 99% of PHP-related vulnerabilities can be exploited remotely. PHP vulnerabilities account for about 33% of vulnerabilities which allow a remote access.
Here are possible explanations for these facts, dealing with developers, hackers, and the PHP language:
PHP application devs do not make a good job at securing their code: they do not care, or they do not know how, or they try but fail. PHP is often a self-taught first and only programming language for non professional devs, whose codes will stay online forever. Also, as PHP is easy and popular, more bugs are written with it.
PHP bugs may be intensely sought for because, when found, a flaw often allows to hack into many servers: a big reward for hackers, a huge pain for system admins hosting these applications. For instance, 98 vulnerabilities are listed in 2008 and 25 in 2009 for the Joomla! CMS. According to the software website, 100,000s instances are deployed worldwide... Other popular CMS also got significant vulnerabilities in 2008 and 2009: Drupal 75 and 52, Wordpress 54 and 16. Every such vulnerability means checks, updates, tests for the sysadmins, or leaving the servers open to hackers.
The PHP language and its libraries are not immune to security issues, as any other software. However, as the codes are running online, consequences are dear. There are about 19 core-PHP vulnerabilities published in 2008 and 22 in 2009 (note that they may have numbers from another year, possibly because they were not disclosed immediatly). The PCRE library used by PHP also had 4 vulns in 2008. The PHP language itselft does not help developers: a taint mode which could help prevent many issues by detecting bad programming has been rejected several times. RIPS is a static analysis tool available to detect such PHP issues from the source code. Earlier versions of PHP had default settings (e.g. register_globals or magic_quotes) which made it very easy to write insecure code. These features are now off by default (since 4.2), marked as deprecated (5.3) and scheduled for removal (6.0).
The editor of this page is Fabien Coelho. I'm a researcher and teacher in computer science. I'll try to update the figures cited here from time to time. The scripts and queries used to compute these figures are available upon request. Feel free to suggest other possible explanations or to improve the precision of the analysis.