CVE-2025-15546: 
WordPress Analyse et atténuation des vulnérabilités

CVE-2025-15546 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in the Iptanus File Upload WordPress plugin (also known as wp-file-upload) that allows authenticated attackers to overwrite files uploaded by other users. It affects all versions of the plugin before 5.1.7 when the duplicatepolicy setting is configured to "maintain both." The vulnerability was discovered by researcher Luca Jungnickel, publicly published on 2026-05-24, and assigned a CVSS score of 5.4 (Medium) (WPScan, GitHub Advisory).

The root cause is a TOCTOU race condition (CWE-362) in the plugin's file handling logic. When duplicatepolicy is set to "maintain both," the plugin checks whether a file with the same name already exists before writing the new file — but there is no atomic lock between the existence check and the write operation. An authenticated attacker can exploit this window by simultaneously uploading a file with the same name as a file being uploaded by another user, causing the attacker's file content to overwrite the victim's file on disk. A public proof-of-concept Python script using Selenium and threading barriers to synchronize concurrent uploads has been published alongside the advisory (WPScan).

Successful exploitation allows an authenticated attacker to overwrite files uploaded by other users on the same WordPress installation, compromising data integrity. This could be used to corrupt legitimate user-uploaded content, replace documents or media files with malicious or misleading content, or disrupt workflows dependent on those files. The vulnerability does not directly enable remote code execution or privilege escalation, but file tampering could have downstream consequences depending on how uploaded files are used by the application (WPScan, GitHub Advisory).

1. Reconnaissance: Identify a WordPress site running the wp-file-upload (Iptanus File Upload) plugin before version 5.1.7 with the duplicatepolicy setting configured to "maintain both."
2. Obtain authentication: Log in to the WordPress site with any account that has file upload permissions (e.g., subscriber, contributor, or higher).
3. Identify target file: Determine the filename of a file that another user is expected to upload, or monitor upload activity to identify an existing filename to target.
4. Prepare race payload: Using the published PoC script, configure multiple threads (e.g., 5) each with a file of the same target filename but different content (the attacker's desired content).
5. Execute race condition: Run the PoC script, which uses a threading barrier to synchronize simultaneous upload requests. The concurrent uploads exploit the window between the file existence check and the write operation.
6. Verify overwrite: Confirm that the victim's file on the server has been replaced with the attacker's file content by accessing the file's URL or checking the upload directory (WPScan).

• Logs: WordPress access logs showing multiple near-simultaneous POST requests to the file upload endpoint from the same authenticated user session or IP address, targeting the same filename.
• File System: Unexpected changes to file content in the WordPress uploads directory (wp-content/uploads/) where file modification timestamps do not align with legitimate user activity.
• Logs: Authentication logs showing a user account logging in and performing rapid, repeated file upload operations in a short time window.
• Network: Bursts of HTTP POST requests to the plugin's upload handler endpoint from a single source IP, particularly with identical filenames in the request payload (WPScan).

Update the Iptanus File Upload WordPress plugin (wp-file-upload) to version 5.1.7 or later, which implements proper atomic file handling to eliminate the race condition. As a workaround prior to patching, administrators can change the duplicatepolicy setting away from "maintain both" to prevent the vulnerable code path from being triggered. Additionally, restricting file upload permissions to trusted user roles only reduces the attack surface. File integrity monitoring on the uploads directory can help detect unauthorized modifications (WPScan, GitHub Advisory).