A survey of GitHub repositories reveals that "Magento 1.9.0.0 exploits" generally fall into three primary categories: SQL Injection (SQLi), Remote Code Execution (RCE), and Automated Admin Brute-forcing.
An exploit for versions below 1.9.0.1 allows an authenticated user with certain permissions to execute PHP code. A script for this is available in the htb-scripts-for-retired-boxes repository on GitHub. magento 1.9.0.0 exploit github