CVE-2025-7387: 
WordPress vulnerability analysis and mitigation

The Lana Downloads Manager plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-7387) discovered on July 10, 2025. The vulnerability affects versions up to and including 1.10.0, where insufficient input sanitization and output escaping on user-supplied attributes in the endpoint parameters creates a security risk (NVD).

The vulnerability stems from improper input sanitization and output escaping of user-supplied attributes in the endpoint parameters. This security flaw allows authenticated users with administrator-level permissions and above to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N (Wordfence).

When exploited, the vulnerability allows authenticated attackers with administrator-level access to inject malicious web scripts into pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 1.11.0 of the Lana Downloads Manager plugin. Site administrators are strongly recommended to update to this version immediately. The update includes security fixes specifically addressing CVE-2025-7387 (WordPress Plugin).