CVE-2025-34104

Piwik Authenticated RCE via Custom Plugin Upload

CVSS 9.4 CRITICALEPSS 0.9%CWE-306 CWE-434

Vexday Risk Score

43Atención

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 9.4EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit simPatch referenciado

Ciclo de vida

05 feb 2017Exploit Metasploit disponible

15 jul 2025Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Productos afectados

Piwik (now Matomo) · Web Analytics Platform

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://firefart.at/post/turning_piwik_superuser_creds_into_rce/https://matomo.org/changelog/piwik-3-0-3/https://matomo.org/faq/plugins/faq_21/https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload