CVE-2025-7387 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Lana Downloads Manager plugin for WordPress, versions up to and including 1.10.0. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied parameters in the plugin's endpoint. This flaw allows authenticated attackers with administrator or higher privileges to inject arbitrary JavaScript code that is persistently stored and executed in the context of any user visiting the affected page. The vulnerability does not require user interaction beyond visiting the injected page and can lead to theft of sensitive information such as session cookies, unauthorized actions performed on behalf of users, or defacement of content. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, high privileges required, no user interaction, scope change, and limited confidentiality and integrity impacts without affecting availability. No public exploits are currently known, but the vulnerability poses a risk especially in environments where multiple administrators manage WordPress sites. The lack of available patches at the time of publication necessitates immediate attention to input validation and output encoding best practices to mitigate risk.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites using the Lana Downloads Manager plugin. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of users visiting the compromised pages, potentially leading to session hijacking, credential theft, unauthorized administrative actions, or content manipulation. While availability is not directly affected, the breach of trust and data integrity can cause reputational damage and operational disruption. Organizations relying on this plugin are at risk of internal threats or attackers who have gained administrative access through other means. The vulnerability could facilitate lateral movement within compromised environments or be leveraged as part of a broader attack chain. Given WordPress's widespread use globally, the vulnerability could affect a significant number of websites, especially those that do not promptly update or apply mitigations.

1. Immediate mitigation involves restricting administrative access to trusted personnel only and monitoring for unusual administrator activity. 2. Apply strict input validation on all user-supplied data, ensuring that endpoint parameters are sanitized to remove or encode potentially malicious characters before processing. 3. Implement robust output encoding/escaping mechanisms when rendering user input in web pages to prevent script execution. 4. Monitor WordPress plugin updates and apply official patches from lanacodes as soon as they become available. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameters. 6. Conduct regular security audits and penetration testing focused on plugin components. 7. Educate administrators on the risks of stored XSS and enforce the principle of least privilege to limit exposure. 8. Consider temporarily disabling or replacing the Lana Downloads Manager plugin if immediate patching is not feasible.