CVE-2025-34104
9.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Piwik (now Matomo) | Web Analytics Platform | 0 < 3.0.3 | affected |
Weaknesses
- CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://matomo.org/changelog/piwik-3-0-3/
- https://matomo.org/faq/plugins/faq_21/
- https://firefart.at/post/turning_piwik_superuser_creds_into_rce/
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb
- https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.