Description

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.

INFO

Published Date :

2025-07-10T19:12:37.309Z

Last Modified :

2026-04-07T14:09:26.734Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2025-34097 vulnerability.

Vendors Products
Processmaker
  • Processmaker
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34097.

URL Resource
https://process-maker-authenticated-plugin-upload-rce cve-icon cve-icon
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_plugin_upload.rb cve-icon cve-icon
https://vulncheck.com/advisories/process-maker-authenticated-plugin-upload-rce cve-icon cve-icon
https://wiki.processmaker.net/3.0/Plugin_Development cve-icon cve-icon
https://www.exploit-db.com/exploits/44399 cve-icon cve-icon
https://www.fortiguard.com/encyclopedia/ips/45757 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability