CVE-2025-34104
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| matomo | analytics_platform | 3.0.2 |
| matomo | analytics_platform | 2.14.0 |
| matomo | analytics_platform | 2.17.1 |
| matomo | analytics_platform | 2.16.0 |
| matomo | analytics_platform | 3.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a full system compromise if exploited. An attacker with superuser credentials can upload and activate a malicious plugin that executes arbitrary PHP code on the server hosting Piwik/Matomo. This can result in unauthorized access, data theft, server manipulation, or further attacks launched from the compromised system. Because the attack requires superuser privileges, the impact is severe, including potential loss of confidentiality, integrity, and availability of the system and data. [1, 2, 4]
Can you explain this vulnerability to me?
CVE-2025-34104 is a critical security vulnerability in Piwik (now Matomo) versions prior to 3.0.3 that allows an authenticated user with Superuser privileges to upload and activate a malicious plugin (a ZIP archive). This malicious plugin contains PHP code that executes arbitrary commands on the underlying server, leading to remote code execution (RCE). The vulnerability arises because the plugin upload mechanism allows unrestricted file uploads by superusers, and when the malicious plugin is activated, its install() method runs the attacker's code. Starting with version 3.0.3, this plugin upload functionality is disabled by default unless explicitly enabled, mitigating the risk. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the Piwik (Matomo) version and checking if the plugin upload functionality is enabled. You can detect the Piwik version by accessing the Feedback module page and parsing the "About Piwik" text or by checking for version-specific assets such as logo.svg. Additionally, verify if the Marketplace plugin is enabled and if custom plugin uploads are allowed in the configuration file. There is also a Metasploit module that automates detection by authenticating with superuser credentials, checking version, and attempting plugin upload and activation. Specific commands would include HTTP requests to the Piwik web interface to retrieve version info and configuration status, or using the Metasploit module for automated detection and exploitation. [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Piwik (Matomo) to version 3.0.3 or later, where the plugin upload functionality is disabled by default unless explicitly enabled. If upgrading is not immediately possible, ensure that the configuration file disables custom plugin uploads. Restrict superuser access to trusted users only, and verify that the web server does not have unnecessary write permissions to the web root to prevent plugin uploads. Monitoring and auditing superuser activities can also help detect suspicious plugin uploads. [2, 3]