CVE-2025-34097

10.07.2025, 20:15

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugins install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user.This vulnerability can be chained with CVE-2022-38577  a privilege escalation flaw in the user profile page  to achieve full remote code execution from a low-privileged account.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
VulnCheck	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-434 - Unrestricted Upload of File with Dangerous Type
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

References

https://process-maker-authenticated-plugin-upload-rce

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_plugin_upload.rb

https://vulncheck.com/advisories/process-maker-authenticated-plugin-upload-rce

https://wiki.processmaker.net/3.0/Plugin_Development

https://www.exploit-db.com/exploits/44399

https://www.fortiguard.com/encyclopedia/ips/45757