The plugin is affected by an arbitrary file download vulnerability that can be exploited by users with “Contributor” permissions or higher.
PoC
As contributor, navigate to https://target/blog/wp-admin/post-new.php?post_type=lana_download # Inside “File (URL):” input, fill the file you want to download, for example: wp-config.php # Save the post # To download the file, you will be able to see a link that will directly download file https://target/blog/download/1/