The plugin is affected by an arbitrary file download vulnerability that can be exploited by users with “Contributor” permissions or higher.
# As contributor, navigate to https://target/blog/wp-admin/post-new.php?post_type=lana_download
# Inside "File (URL):" input, fill the file you want to download, for example: wp-config.php
# Save the post
# To download the file, you will be able to see a link that will directly download file
https://target/blog/download/1/