Vulnerabilities and security researches forlana-downloads-manager lana-downloads-manager

Jun 07, 2024

CVE, Research URL: CVE-2022-2392
Home page URL: Security reports for Lana Downloads Manager
Application: Lana Downloads Manager
Date: Aug 22, 2022
Research Description: The Lana Downloads Manager WordPress plugin before 1.8.0 is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher.
Affected versions: Min -, max -.
Status: vulnerable

Apr 03, 2025

CVE, Research URL: CVE-2025-2048
Home page URL: Security reports for Lana Downloads Manager
Application: Lana Downloads Manager
Date: Apr 01, 2025
Research Description: The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server
Affected versions: Min -, max -.
Status: vulnerable

Jul 12, 2025

CVE, Research URL: CVE-2025-7387
Home page URL: Security reports for Lana Downloads Manager
Application: Lana Downloads Manager
Date: Jul 10, 2025
Research Description: The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable