CVE-2025-34104

critical

Description

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

References

https://matomo.org/changelog/piwik-3-0-3/

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb

https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload

https://matomo.org/faq/plugins/faq_21/

https://firefart.at/post/turning_piwik_superuser_creds_into_rce/

Details

Source: Mitre, NVD

Published: 2025-07-15

Updated: 2025-07-15

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 9.4

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Severity: Critical

EPSS

EPSS: 0.00268