CVE-2025-34104
published 2025-07-15CVE-2025-34104: An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable…
PriorityP263critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.89%
55.0th percentile
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | matomo | — | — |
| piwik | web_analytics_platform | < 3.0.3 | 3.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb↗
- →Monitor for ZIP archive uploads to the Piwik/Matomo plugin upload endpoint by authenticated Superuser accounts, which may indicate malicious plugin delivery. ↗
- →Alert on activation of newly uploaded plugins in Piwik/Matomo versions prior to 3.0.3, especially if the plugin was not previously present in the installation. ↗
- →Detect use of the Metasploit module `piwik_superuser_plugin_upload` against Piwik instances (tested against versions 2.14.0, 2.16.0, 2.17.1, and 3.0.1). ↗
- →Flag Piwik/Matomo installations running versions prior to 3.0.3 where the plugin upload feature is active (i.e., not explicitly disabled in the configuration file). ↗
- ·Plugin upload is disabled by default in Piwik/Matomo 3.0.3+. If the configuration file explicitly re-enables it, the attack surface is restored even on patched versions. ↗
- ·The exploit does not work against Piwik version 1, as there is no option to upload custom plugins in that version. ↗
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_debian9.4LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7p5r-mwrp-qhhq: An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3
ghsa_unreviewed·2025-07-15
CVE-2025-34104 [CRITICAL] CWE-306 GHSA-7p5r-mwrp-qhhq: An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.
Debian
CVE-2025-34104: matomo - An authenticated remote code execution vulnerability exists in Piwik (now Matomo...
vendor_debian·2025·CVSS 9.4
CVE-2025-34104 [CRITICAL] CVE-2025-34104: matomo - An authenticated remote code execution vulnerability exists in Piwik (now Matomo...
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.
Scope: local
sid: resolved
trixie: resolved
No detection rules found.
No writeups or analysis indexed.
https://firefart.at/post/turning_piwik_superuser_creds_into_rce/https://matomo.org/changelog/piwik-3-0-3/https://matomo.org/faq/plugins/faq_21/https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rbhttps://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload
2025-07-15
Published