CVE-2025-34104

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

CVSS

No CVSS.

References

Link	Resource
https://firefart.at/post/turning_piwik_superuser_creds_into_rce/
https://matomo.org/changelog/piwik-3-0-3/
https://matomo.org/faq/plugins/faq_21/
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb
https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload

Configurations

No configuration.

History

15 Jul 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-15 13:15

Updated : 2025-07-15 20:07

NVD link : CVE-2025-34104

Mitre link : CVE-2025-34104

CVE.ORG link : CVE-2025-34104

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-34104", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-15T13:15:29.967", "references": [{"url": "https://firefart.at/post/turning_piwik_superuser_creds_into_rce/", "source": "disclosure@vulncheck.com"}, {"url": "https://matomo.org/changelog/piwik-3-0-3/", "source": "disclosure@vulncheck.com"}, {"url": "https://matomo.org/faq/plugins/faq_21/", "source": "disclosure@vulncheck.com"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file."}], "lastModified": "2025-07-15T20:07:28.023", "sourceIdentifier": "disclosure@vulncheck.com"}