Medium
CVE-2025-58630
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer Simple Matomo Tracking Code simple-matomo-tracking-code allows Stored XSS.This issue affect…
Tag: Matomo
All CVEs associated with "Matomo". Page 1/1 • 11 CVEs.
About “Matomo”
A curated feed of “Matomo”-related CVEs appears below. We currently track 11 CVEs for this tag (all time). In the last 365 days, 2 were published. Average CVSS is 5.6 (all time; 7.7 over 365d), and 9% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-306 - Missing Authentication for Critical Function.
In our taxonomy this topic maps to a LOW impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: matomo
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | Premier Support | EOL | LTS |
|---|---|---|---|---|---|
| 5 | 5.10.1 | Unavailable | - | ||
| 4 | 4.16.2 | Expired | |||
| 3 | 3.14.1 | Expired | |||
| 2 | 2.18.1 | Expired | |||
| 1 | 1.12 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS (expired) · ICS
Subscribe CVEs: RSS for “Matomo” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2025-09-03
2025-07-15
Critical
CVE-2025-34104
An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser…
2025-03-31
Medium
CVE-2025-31680
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from 0.0.0 before 1.24.0.
2025-01-02
Medium
CVE-2024-38766
Cross-Site Request Forgery (CSRF) vulnerability in matomoteam Matomo Analytics matomo allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through <= 5.1.1.
2024-02-29
Medium
CVE-2023-6923
The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due…
2023-09-22
Medium
CVE-2023-4774
The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input…
2023-05-28
Medium
CVE-2023-33211
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in André Bräkling WP-Matomo Integration (WP-Piwik) plugin <= 1.0.27 versions.
2023-02-23
Medium
CVE-2023-23659
Cross-Site Request Forgery (CSRF) vulnerability in MainWP Matomo Extension <= 4.0.4 versions.
2023-02-05
Low
CVE-2017-20175
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Us…
2022-07-12
Medium
CVE-2022-33156
The matomo_integration (aka Matomo Integration) extension before 1.3.2 for TYPO3 allows XSS.
2019-05-20
Medium
CVE-2019-12215
A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plu…