CVE-2025-34104

CRITICAL

Piwik (now Matomo) < 3.0.3 - Authenticated Remote Code Execution via Plugin Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-34104. PoCs published by FireFart, including Metasploit module exploits/unix/webapp/piwik_superuser_plugin_upload.

AI-analyzed exploit summary This Metasploit module exploits a plugin upload vulnerability in Piwik (CVE-2025-34104) by authenticating as a superuser, generating a malicious plugin with embedded PHP payload, and uploading it to achieve remote code execution. It supports Piwik versions 2.x and 3.x (with manual config changes for 3.0.3+).

Description

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

Exploits (1)

metasploit WORKING POC EXCELLENT

by FireFart · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits a plugin upload vulnerability in Piwik (CVE-2025-34104) by authenticating as a superuser, generating a malicious plugin with embedded PHP payload, and uploading it to achieve remote code execution. It supports Piwik versions 2.x and 3.x (with manual config changes for 3.0.3+).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Piwik 2.14.0, 2.16.0, 2.17.1, 3.0.1 (and others with plugin uploads enabled)

Auth required

Prerequisites: Valid superuser credentials · Plugin uploads enabled (disabled by default in 3.0.3+)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources vendor-advisory

https://matomo.org/changelog/piwik-3-0-3/

Various Sources product

https://matomo.org/faq/plugins/faq_21/

Various Sources third-party-advisory

https://firefart.at/post/turning_piwik_superuser_creds_into_rce/

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload

Scores

CVSS v4 9.4

EPSS 0.7356

EPSS Percentile 98.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-306 CWE-434

Status published

Products (1)

Piwik (now Matomo)/Web Analytics Platform < 3.0.3

Published Jul 15, 2025

Tracked Since Feb 18, 2026