← back
CVE-2025-34097

ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE

CVSS 8.6 HIGHEPSS 1.0%CWE-434
Vexday Risk Score
36Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.6EPSS 1.0%KEV nãoPoC Nuclei Metasploit simPatch
Lifecycle
25 Aug 2010Metasploit module available
10 Jul 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →