jizhiCMS version 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files from the system. The vulnerability can be exploited by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. This security flaw affects the administrative interface of the content management system and requires administrative authentication to exploit. The vulnerability has been documented with exploit code available and affects the file handling functionality within the CMS admin panel.