PatchSiren cyber security CVE debrief
CVE-2025-15546 Iptanus CVE debrief
The Iptanus File Upload WordPress plugin before 5.1.7 is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When the duplicate policy setting is configured to 'maintain both,' an authenticated attacker can overwrite files uploaded by other users due to a TOCTOU vulnerability between the file existence check and the actual file write operation.
- Vendor
- Iptanus
- Product
- File Upload WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-14
- Original CVE updated
- 2026-06-14
- Advisory published
- 2026-06-14
- Advisory updated
- 2026-06-14
Who should care
Users of the Iptanus File Upload WordPress plugin before version 5.1.7 should update to version 5.1.7 or later to mitigate this vulnerability.
Technical summary
The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicate policy setting is configured to 'maintain both.' Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.
Defensive priority
high
Recommended defensive actions
- Update the Iptanus File Upload WordPress plugin to version 5.1.7 or later.
- Review and adjust the duplicate policy setting to prevent unauthorized file overwrites.
Evidence notes
The CVE-2025-15546 vulnerability was reported by Wpscan.
Official resources
-
CVE-2025-15546 CVE record
CVE.org
-
CVE-2025-15546 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2025-15546 was published on 2026-06-14T08:16:17.040Z.