CVE Catalog

CVE-2025-15546

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

The Iptanus File Upload WordPress plugin before version 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a TOCTOU race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.

Risk Assessment

The risk is that an authenticated attacker can overwrite files uploaded by other users, potentially leading to data loss, file integrity compromise, or injection of malicious content.

Recommendation

It is recommended to immediately update the Iptanus File Upload plugin to version 5.1.7 or later, which fixes the vulnerability by implementing proper file handling and eliminating the race condition.

Original NVD description (English source)

The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS