It was discovered that Piwik versions 0.4.5 and below unserialize data from the user supplied cookie. By unserializing some of Piwik’s objects it is possible to write arbitrary files to writable locations on the webserver which can be used to upload e.g. PHP files to writable directories within the webserver’s document root which usually exist in a standard Piwik installation. In newer versions of Piwik it is also possible to execute arbitrary PHP code directly.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/83685/piwik-unserialize.txt
Source: https://packetstormsecurity.com/files/83685/Piwik-Cookie-Unserialize-Execution.html