cbcvebase.
CVE-2025-34104
published 2025-07-15

CVE-2025-34104: An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable…

PriorityP263critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.89%
55.0th percentile
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianmatomo
piwikweb_analytics_platform< 3.0.33.0.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb
pathmodules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb
  • Monitor for ZIP archive uploads to the Piwik/Matomo plugin upload endpoint by authenticated Superuser accounts, which may indicate malicious plugin delivery.
  • Alert on activation of newly uploaded plugins in Piwik/Matomo versions prior to 3.0.3, especially if the plugin was not previously present in the installation.
  • Detect use of the Metasploit module `piwik_superuser_plugin_upload` against Piwik instances (tested against versions 2.14.0, 2.16.0, 2.17.1, and 3.0.1).
  • Flag Piwik/Matomo installations running versions prior to 3.0.3 where the plugin upload feature is active (i.e., not explicitly disabled in the configuration file).
  • ·Plugin upload is disabled by default in Piwik/Matomo 3.0.3+. If the configuration file explicitly re-enables it, the attack surface is restored even on patched versions.
  • ·The exploit does not work against Piwik version 1, as there is no option to upload custom plugins in that version.

CVSS provenance

nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_debian9.4LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.