CVE-2025-34104
Piwik Authenticated RCE via Custom Plugin Upload
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.
| CWE | CWE-434 CWE-306 |
| Vendor | piwik (now matomo) |
| Product | web analytics platform |
| Published | Jul 15, 2025 |
| Last Updated | May 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for piwik (now matomo) web analytics platform
Be the first to know when new unknown vulnerabilities affecting piwik (now matomo) web analytics platform are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Piwik (now Matomo) / Web Analytics Platform
0 < 3.0.3
References
matomo.org: https://matomo.org/changelog/piwik-3-0-3/ matomo.org: https://matomo.org/faq/plugins/faq_21/ firefart.at: https://firefart.at/post/turning_piwik_superuser_creds_into_rce/ raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/piwik_superuser_plugin_upload.rb vulncheck.com: https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload
Credits
FireFart