The PHP version is a signal of age. The true exploits lie in the surrounding OS and the application logic.
She ran it. The PHP-FPM child process crashed, then respawned. But in the microsecond between free and respawn, she injected a tracer. The memory register showed a dangling pointer pointing directly to the system() function in libc. php 5.5.9 exploit