CVE-2009-3418

Plume CMS 1.2.3 - Authenticated SQL Injection via Manager Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3418. PoCs published by Sense of Security.

AI-analyzed exploit summary This is a security advisory detailing SQL injection vulnerabilities in Plume CMS versions 1.2.3 and possibly others. The advisory includes a proof-of-concept SQL injection payload targeting the 'm' parameter in index.php and the 'id' parameter in tools.php.

Description

Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to execute arbitrary SQL commands via the m parameter to manager/index.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit_link action to manager/tools.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Sense of Security · textwebappsphp

https://www.exploit-db.com/exploits/9424

View Code ZIP pw:eip

This is a security advisory detailing SQL injection vulnerabilities in Plume CMS versions 1.2.3 and possibly others. The advisory includes a proof-of-concept SQL injection payload targeting the 'm' parameter in index.php and the 'id' parameter in tools.php.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Plume CMS 1.2.3

Auth required

Prerequisites: Network access to the target application · Valid authentication credentials

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

URL Repurposed x_refsource_misc

http://www.senseofsecurity.com.au/advisories/SOS-09-006.pdf

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/36277

Scores

EPSS 0.0080

EPSS Percentile 51.8%

Details

CWE

CWE-89

Status published

Products (1)

plume-cms/plume_cms 1.2.3

Published Sep 25, 2009

Tracked Since Feb 18, 2026