CVE-2025-15546
Deferred Deferred - Pending Action

Iptanus File Upload WordPress Plugin TOCTOU Race Condition

Vulnerability report for CVE-2025-15546, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: WPScan

Description

The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-07-04
AI Q&A
2026-06-14
EPSS Evaluated
2026-07-03
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
iptanus file_upload to 5.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-15546 is a race condition vulnerability in the Iptanus File Upload WordPress plugin versions before 5.1.7. It occurs when the "duplicatepolicy" setting is configured to "maintain both." The plugin does not properly handle file uploads due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between checking if a file exists and the actual file write operation.

This flaw allows an authenticated attacker to overwrite files uploaded by other users by exploiting the timing gap between the file existence check and the file writing process.

Compliance Impact

The vulnerability allows an authenticated attacker to overwrite files uploaded by other users due to a race condition in file handling. This could lead to unauthorized modification or loss of data.

Such unauthorized file overwrites may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require ensuring the integrity and confidentiality of personal and sensitive data.

Specifically, improper file handling and potential data overwrites could violate requirements for data integrity, access control, and secure processing under these regulations.

Impact Analysis

This vulnerability can allow an authenticated attacker to overwrite files uploaded by other users. This can lead to unauthorized modification or replacement of files, potentially causing data loss, corruption, or unauthorized content injection.

Such file overwrites could disrupt normal operations, compromise the integrity of uploaded data, and may be leveraged for further attacks depending on the nature of the overwritten files.

Detection Guidance

This vulnerability can be detected by observing attempts to exploit the TOCTOU race condition in the Iptanus File Upload WordPress plugin when the "duplicatepolicy" setting is set to "maintain both." A proof-of-concept exploit involves multiple threads simultaneously attempting to upload files with the same name, leading to file overwrites.

To detect exploitation attempts, monitor logs for multiple concurrent file upload requests with identical filenames from authenticated users.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Iptanus File Upload WordPress plugin to version 5.1.7 or later, where the vulnerability has been fixed.

Additionally, reviewing and adjusting the "duplicatepolicy" setting away from "maintain both" may reduce the risk until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart