Description
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
Published: 2025-07-10
Score: 8.6 High
EPSS: 53.0% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unrestricted file upload that allows an attacker with administrative privileges to place a malicious .tar archive containing PHP code. When the archive is installed, the plugin’s install() method runs with web‑server user privileges, giving the attacker remote code execution. The flaw stems from improper validation of plugin archives, matching CWE‑434.

Affected Systems

ProcessMaker Inc. ProcessMaker Community Edition versions earlier than 3.5.4 are affected. No specific sub‑version range is listed; any build older than 3.5.4 carries the flaw.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and the EPSS score of 32 % shows that exploitation is likely. The vulnerability is not currently cataloged in CISA KEV. Attackers must be authenticated as a user with administrative rights to upload the payload, although chaining with a separate privilege‑escalation flaw can enable exploitation from a lower‑privileged account. Failure to patch enables remote code execution with the web‑server user’s privileges, allowing full control over the affected system.

Generated by OpenCVE AI on April 28, 2026 at 01:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch to upgrade to ProcessMaker version 3.5.4 or later.
  • Disable or remove the ability to upload .tar plugin archives, restricting uploads to approved content or disabling the plugin installation feature entirely.
  • Ensure that only users with administrative rights can access plugin upload and installation interfaces; remove or limit this capability for other roles.

Generated by OpenCVE AI on April 28, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21034 An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
History

Wed, 19 Nov 2025 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:processmaker:processmaker:*:*:*:*:community:*:*:*

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0039}

 epss

{'score': 0.00377}

Fri, 11 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0039}

Fri, 11 Jul 2025 13:30:00 +0000

Type Values Removed Values Added
Metrics epss

{}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
Title ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Processmaker Processmaker
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:26.734Z

Reserved: 2025-04-15T19:15:22.555Z

Link: CVE-2025-34097

cve-icon Vulnrichment

Updated: 2025-07-10T20:26:22.512Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:25.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:15:15Z

Weaknesses