Lana Downloads Manager < 1.10.0 – Admin+ Arbitrary File Download via Path Traversal | CVE 2025-2048 | Plugin Vulnerabilities

Description

The plugin does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server

Proof of Concept

1. Log into the WordPress Administration console (/wp-admin/).
2. Click on *Downloads -> Add Download*.
3. Set the *Add title* as anything.
5. Set the *File URL* as the internal file to be downloaded using the PHP wrapper: `php://filter/resource=../../../../../../../../../../../etc/passwd`
6. Clink on *Publish* - The download permalink is generated and the file can be downloaded using it. Example:  http://example.com/download/1117/

Affects Plugins

lana-downloads-manager

Fixed in 1.10.0

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Bruno Oliveira - IncludeSecurity

Submitter

Bruno Oliveira - IncludeSecurity

Submitter website

https://includesecurity.com

Submitter twitter

includesecurity

Verified

Yes

WPVDB ID

05c664e8-110e-4a31-8377-41a0422508a7

Timeline

Publicly Published

2025-03-11 (about 9 months ago)

Added

2025-03-11 (about 9 months ago)

Last Updated

2025-03-11 (about 9 months ago)

Other

Published

Title

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal

Published

2019-03-14

Title

SG Optimizer <= 5.0.12 - Unauthenticated File Upload

Published

2022-09-14

Title

Enable Media Replace < 4.0.0 - Admin+ Path Traversal

Published

2023-11-06

Title

Mmm Simple File List <= 2.3 - Subscriber+ Arbitrary Directory Listing

Published

2025-02-13

Title

Bit Assist < 1.5.3 - Admin+ Arbitrary File Read