CVE-2025-2048: Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal

Description

The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server

Classification

CVE ID: CVE-2025-2048

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: Unknown

Product: Lana Downloads Manager

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.23% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2048
https://wpscan.com/vulnerability/05c664e8-110e-4a31-8377-41a0422508a7/

Timeline

2025-04-01 07:40:13 UTC
CVE

Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal