CVE-2025-34097
ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE
Vexday Risk Score
36Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.6EPSS 1.0%KEV nãoPoC —Nuclei —Metasploit simPatch —
Lifecycle
25 Aug 2010Metasploit module available
10 Jul 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
ProcessMaker Inc. · ProcessMakerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://process-maker-authenticated-plugin-upload-rcehttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_plugin_upload.rbhttps://vulncheck.com/advisories/process-maker-authenticated-plugin-upload-rcehttps://wiki.processmaker.net/3.0/Plugin_Developmenthttps://www.exploit-db.com/exploits/44399https://www.fortiguard.com/encyclopedia/ips/45757