CVE-2025-34104

CRITICAL

Piwik <3.0.3 - Authenticated RCE

Title source: llm

Description

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

Exploits (1)

metasploit WORKING POC EXCELLENT

by FireFart · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb

View Code ZIP pw:eip

References (5)

[Various Sources] https://firefart.at/post/turning_piwik_superuser_creds_into_rce/

[Various Sources] https://matomo.org/changelog/piwik-3-0-3/

[Various Sources] https://matomo.org/faq/plugins/faq_21/

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb

[Third Party Advisory] https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload

Scores

CVSS v4 9.4

EPSS 0.5665

EPSS Percentile 98.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

CWE

CWE-306 CWE-434

Status published

Products (1)

Piwik (now Matomo)/Web Analytics Platform < 3.0.3

Published Jul 15, 2025

Tracked Since Feb 18, 2026