CVE-2025-34104

Piwik Authenticated RCE via Custom Plugin Upload

CVSS 9.4 CRITICALEPSS 0.9%CWE-306 CWE-434

Vexday Risk Score

43Atenção

Decisão SSVC (CISA)

Attend

PoC disponível → acompanhar de perto

CVSS 9.4EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit simPatch referenciado

Ciclo de vida

05 fev 2017Exploit Metasploit disponível

15 jul 2025Publicada no NVD

Recomendação: Planejar correção próxima — já existe PoC pública.

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Produtos afetados

Piwik (now Matomo) · Web Analytics Platform

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://firefart.at/post/turning_piwik_superuser_creds_into_rce/https://matomo.org/changelog/piwik-3-0-3/https://matomo.org/faq/plugins/faq_21/https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload