CVE-2009-0527

AdaptCMS Lite 1.4 - Remote Code Execution via RSS Importer Sitepath Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0527. PoCs published by RoMaNcYxHaCkEr.

AI-analyzed exploit summary The exploit demonstrates Remote File Include (RFI) and Cross-Site Scripting (XSS) vulnerabilities in AdaptCMS Lite 1.4. The RFI allows remote code execution by including a malicious file via the 'sitepath' parameter, while the XSS vulnerabilities exploit unsanitized input in the 'view' and 'acuparam' parameters.

Description

PHP remote file inclusion vulnerability in plugins/rss_importer_functions.php in AdaptCMS Lite 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the sitepath parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by RoMaNcYxHaCkEr · textwebappsphp
https://www.exploit-db.com/exploits/8016

The exploit demonstrates Remote File Include (RFI) and Cross-Site Scripting (XSS) vulnerabilities in AdaptCMS Lite 1.4. The RFI allows remote code execution by including a malicious file via the 'sitepath' parameter, while the XSS vulnerabilities exploit unsanitized input in the 'view' and 'acuparam' parameters.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: AdaptCMS Lite 1.4
No auth needed
Prerequisites: Network access to the target application · Target application must be running AdaptCMS Lite 1.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33866
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8016
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/48610
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33698

Scores

EPSS 0.0393
EPSS Percentile 89.0%

Details

CWE
CWE-94
Status published
Products (1)
adaptcms/adaptcms 1.4 unknown
Published Feb 11, 2009
Tracked Since Feb 18, 2026