CVE-2025-15546 | The Iptanus File Upload WordPress plugin before 5.1.7 does n…

Description

The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.

Metadata

CVE ID: CVE-2025-15546
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-01-26 14:42 UTC
Published: 2026-06-14 06:00 UTC
Last updated: 2026-06-14 06:00 UTC
Vendor / Product: Unknown / Iptanus File Upload
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Iptanus File Upload	—	0 < 5.1.7

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)

References (1)

https://wpscan.com/vulnerability/06e33418-1644-49a1-b012-122046604109/