Iptanus File Upload < 5.1.7 - File Overwrite via Race Condition
Summary
| CVE | CVE-2025-15546 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-14 08:16:17 UTC |
| Updated | 2026-06-14 08:16:17 UTC |
| Description | The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users. |
Risk And Classification
EPSS: 0.000060000 probability, percentile 0.004300000 (date 2026-06-14)
Problem Types: CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Iptanus File Upload | affected 5.1.7 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/06e33418-1644-49a1-b012-122046604109 | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Luca Jungnickel (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.