Plume CMS version 1.2.4 suffers from multiple local file inclusion vulnerabilities. This issue has been known for years and they have ignored fixing it.
4857423c27d17b04ffc644cfa5a5eae002cdd19c06011bbba75b3adc579028f5
Plume CMS 1.1.10 suffers from a remote file inclusion vulnerability.
83570734e0074fe652424bc5712d1d89dcf971c4f099f79a87994eb1e6d5048e