Iptanus File Upload Plugin Vulnerability (CVE-2025-15546)

Security Alert Summary

The Iptanus File Upload WordPress plugin contains a vulnerability (CVE-2025-15546) that can allow an authenticated attacker to overwrite files uploaded by other users when the plugin’s duplicatepolicy setting is configured to “maintain both.” The issue results from a time-of-check to time-of-use (TOCTOU) race condition between the file existence check and the file write operation.

CVE Details

• CVE ID: CVE-2025-15546
• Affected component: Iptanus File Upload WordPress plugin
• Affected versions: Versions before 5.1.7
• Published: June 14, 2026 at 8:16:17 AM UTC
• Last modified: June 14, 2026 at 8:16:17 AM UTC
• CVSS v3.1 base score / severity / vector: Not provided in the available data
• Authentication / privileges / user interaction: Authentication required (an authenticated attacker). Privileges required: authenticated user. User interaction: not required for the overwrite to occur.
• Primary impact: Integrity – unauthorized modification/overwrite of uploaded files. Confidentiality and availability impacts are not specified in the provided data.
• CWE / weakness ID: Not provided in the available data

Technical Details

The vulnerability is a Time-Of-Check to Time-Of-Use (TOCTOU) race condition that occurs when the plugin’s duplicatepolicy is set to “maintain both.” During the upload process the code performs a file existence check and later performs the file write operation. Because there is a window between the existence check and the write, an authenticated attacker can exploit that race to cause an uploaded file to be overwritten with content of their choosing. The issue stems from inadequate file handling for the specified duplicate policy, allowing the race condition to lead to unauthorized overwrites.

No specific functions, REST API endpoints, or additional internal checks are named in the available description.

How This Could Impact Your Website

In a multi-user WordPress site — for example, a site owner, internal staff contributors, and external contractors or contributors — this vulnerability could allow an authenticated contributor or contractor to overwrite files uploaded by others. Practical consequences include replacement of uploaded images, documents, or other media with altered content. That could lead to confusing or misleading content being presented to users, and in some cases could increase the risk of targeted phishing or social engineering if attackers replace documents or assets used in communications with users or staff.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can upload files.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins that increase your attack surface.
• Monitor site activity and file uploads for unusual behavior or unexpected changes.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://wpscan.com/vulnerability/06e33418-1644-49a1-b012-122046604109/