CVE-2025-34104 is a critical remote code execution vulnerability affecting the Piwik (now Matomo) web analytics platform versions prior to 3.0.3. The vulnerability arises from an unrestricted file upload flaw (CWE-434) combined with insufficient authentication controls (CWE-306) in the plugin upload mechanism. Specifically, an authenticated user with Superuser privileges can upload a malicious plugin packaged as a ZIP archive. Upon activation, this malicious plugin allows arbitrary PHP code execution on the underlying server hosting the Matomo platform. This can lead to full compromise of the web server, enabling attackers to execute any code, potentially leading to data theft, service disruption, or pivoting to other internal systems. The vulnerability is particularly severe because it does not require user interaction beyond authentication, and the attack surface includes any system running vulnerable Matomo versions with plugin upload enabled. Starting with version 3.0.3, the plugin upload functionality is disabled by default unless explicitly enabled in the configuration, mitigating the risk for updated systems. The CVSS 4.0 score of 9.4 reflects the critical nature of this vulnerability, with network attack vector, low attack complexity, no user interaction, and high impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild yet, but the ease of exploitation and potential impact make this a high-priority issue for organizations using Matomo for web analytics.

For European organizations, the impact of this vulnerability can be significant. Matomo is widely used across Europe as an open-source alternative to commercial analytics platforms, often deployed on-premises or in private cloud environments to comply with strict data privacy regulations such as GDPR. A successful exploitation could lead to unauthorized access to sensitive analytics data, including visitor behavior and potentially personally identifiable information (PII). Furthermore, attackers gaining code execution on the server could disrupt analytics services, deface websites, or use the compromised server as a foothold for lateral movement within the organization’s network. This could result in reputational damage, regulatory penalties, and operational downtime. Given the criticality of the vulnerability and the privileged access required, organizations with multiple superusers or weak internal access controls are at higher risk. The fact that plugin upload is disabled by default in newer versions reduces risk for updated systems but leaves legacy deployments vulnerable. European organizations relying on Matomo for compliance reporting or customer insights must prioritize patching or configuration changes to avoid potential breaches.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately upgrade Matomo installations to version 3.0.3 or later, where plugin upload is disabled by default and security improvements are implemented. 2) If upgrading is not immediately feasible, explicitly disable the plugin upload functionality in the configuration file to prevent unauthorized plugin uploads. 3) Restrict Superuser privileges strictly to trusted personnel and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. 4) Implement network segmentation and web application firewalls (WAFs) to monitor and block suspicious upload attempts or unusual plugin activations. 5) Regularly audit installed plugins and uploaded files for anomalies or unauthorized changes. 6) Monitor server logs and application behavior for signs of exploitation or unexpected PHP code execution. 7) Educate administrators on the risks associated with plugin uploads and enforce least privilege principles. These steps go beyond generic patching advice by emphasizing configuration hardening, access control, and proactive monitoring tailored to the nature of this vulnerability.