CVE-2025-2048 – Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal

https://notcve.org/view.php?id=CVE-2025-2048

11 Mar 2025 — The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server The Lana Downloads Manager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to perform actions on files outside of the originally intended direct... • https://wpscan.com/vulnerability/05c664e8-110e-4a31-8377-41a0422508a7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •