The Iptanus File Upload WordPress plugin before version 5.1.7 fails to handle file names correctly when its duplicatepolicy is set to "maintain both." A time‑of‑check to time‑of‑use race condition allows an attacker who can authenticate to the site to overwrite a file that another user has already uploaded, potentially replacing legitimate content or injecting malicious files. This flaw can lead to data integrity violations and, depending on the file type, may allow privilege escalation or execution of arbitrary code on the web server.

WordPress sites running the Iptanus File Upload plugin earlier than 5.1.7. The vulnerability is triggered when the duplicatepolicy setting is configured to retain both files and the attacker has authenticated access to the upload feature. The input does not list specific vendor or distribution versions beyond the plugin, so any deployment of this plugin before 5.1.7 is considered affected.

The exploit requires authenticated access to the WordPress installation and the use of the vulnerable file‑upload flow. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The lack of a published CVSS score makes severity estimation difficult, but the presence of a race condition and the ability to overwrite arbitrary files suggest at least moderate risk. An attacker who can complete the race may modify application resources or inject files that could be executed later.