• fiscalwebmaster

    (@fiscalwebmaster)


    Hello,

    We’re running CleanTalk Security & Malware Firewall (security-malware-firewall) on a WordPress 7.0 site and appear to have traced a reproducible conflict between the plugin’s Upload Checker module and the Enable Media Replace plugin. I’d like to report it and ask whether a targeted exclusion is possible so we don’t have to disable the module site-wide.

    Symptom
    When a user attempts to replace an existing media file via Enable Media Replace, the request fails with the WordPress error page “You do not have sufficient permissions to upload files.” The browser tab title on the error page reads “Upload Checker Exceeded.” A normal new media upload (Media > Add New) succeeds without issue – only the replace action appears to fail.

    Affected request
    POST to /wp-admin/upload.php?page=enable-media-replace/enable-media-replace.php&action=media_replace_upload&attachment_id=XXXXX

    What we ruled out before identifying the likely cause

    • WordPress 7.0 did not change Editor role capabilities; the affected user has upload_files (new uploads work).
    • Enable Media Replace was updated to the current version; the error persisted.
    • SiteGround server-level: nginx/Apache error log shows no 403 or ModSecurity entry at the time of the failed replace.
    • SiteGround access log shows the site serving normally (admin actions, media, large PDFs all 200).
    • CleanTalk Security FireWall log: across ~5,000 rows, waf_attack_type = NONE on every row, with no WAF block against the affected users – all our denials are external bots hitting wp-login.php / xmlrpc.php. So this does not appear to be caught or logged as a WAF attack.
    • It does not appear to be a role/capability issue: the error also reproduces for an Administrator, suggesting it is not keyed on upload_files.

    Likely cause (Query Monitor call stack)
    The error page reports “This message was triggered by security-malware-firewall,” with the following call stack:

    wp_die()
    spbc_upload_checker__check()
    wp-content/plugins/security-malware-firewall/inc/spbc-firewall.php:205
    Closure on line 256 of wp-content/plugins/security-malware-firewall/security-malware-firewall.php
    wp-content/plugins/security-malware-firewall/security-malware-firewall.php:256
    do_action(‘init’)
    wp-settings.php:771

    This suggests the Upload Checker module (spbc_upload_checker__check) is firing on the init hook and calling wp_die() on the Enable Media Replace media_replace_upload request.

    What the behaviour appears to indicate
    The Upload Checker does not appear to be rejecting file content. The same image uploads successfully as a new file with the module enabled, but replacing that identical, already-uploaded file via Enable Media Replace is blocked with the call stack above. This suggests the module may be reacting to the media_replace_upload action path itself rather than to the file being scanned.

    Confirmation steps we ran

    • With “Run the Upload Checker module for uploaded files” (Settings > Security by CleanTalk > General Settings) toggled OFF, the replace completes successfully (“Your image has been successfully replaced!”).
    • With the module toggled back ON, a new upload still succeeds, but replacing that same newly-uploaded file is blocked again with the identical call stack.
      This appears to isolate the Upload Checker module as the trigger.

    Question
    Is there a way to exclude the Enable Media Replace action (action=media_replace_upload) — or otherwise allow this admin media-replace flow — from the Upload Checker module, so we can keep upload malware scanning enabled site-wide rather than disabling the module entirely? If the Upload Checker flagging the media_replace_upload request looks like a bug at your end, please treat this as a report of that conflict.

    We also noticed a recent thread on the WordPress.org support forum (“Upload whitelist?”, 24 June 2026) where another user described blocked uploads from a legitimate trusted-user flow and asked about whitelisting; your support reply pointed them to the same Upload Checker toggle. We don’t know whether their root cause was the same, but the symptoms and the request are similar enough that it may be related. We’d be keen to know whether a more granular exclusion is possible rather than turning the module off entirely.

    Environment

    • WordPress 7.0
    • CleanTalk Security & Malware Firewall (security-malware-firewall) — current version
    • Enable Media Replace — current version
    • Hosting: SiteGround
    • Site: fiscaltec.com

    Happy to provide any further logs. Thank you.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter fiscalwebmaster

    (@fiscalwebmaster)

    Please see screenshot of error page shown

    Plugin Support dimitrycleantalk

    (@dimitrycleantalk)

    Hello @fiscalwebmaster,

    Please try installing the fixed version: https://github.com/CleanTalk/security-malware-firewall/releases/download/fix-version/security-malware-firewall.zip

    All the changes made will be included in the next stable release.

    Did it help you?

    I wanted to let you know that I was also having a similar issue with using a custom post type. It was throwing the same error message,

    (upload checker exceeded) You do not have sufficient permissions to upload files.

    I found this thread and your fixed version solved for me. Thank You!

    Plugin Support eugenecleantalk

    (@eugenecleantalk)

    Hello @pwidner ,

    Thank you for your feedback. If you enjoyed our service, we would greatly appreciate your feedback on the WordPress forum:
    https://wordpress.org/support/plugin/security-malware-firewall/reviews/

    Thread Starter fiscalwebmaster

    (@fiscalwebmaster)

    Hi, thanks for the quick turnaround on this and for preparing a fix.

    I’d prefer not to install the patched build on our production site at this stage. We’re already running 2.182.1 and we’d rather wait and pick it up through the normal stable release.

    We’ve kept the Upload Checker module enabled in the meantime, as we’d rather not disable upload scanning and reduce our protection. For now the team is working around the media-replace block manually.

    Could you let me know which stable version the fix will ship in, and roughly when you expect that release? We’ll update and confirm it works on our end at that point.

    Thanks again for looking into it.

    dlx

    (@deeluuxe)

    Same problem here:

    The Upload Checker module blocks uploads performed by Enable Media Replace.

    Steps to reproduce:

    Enable Upload Checker.
    Install Enable Media Replace.
    Replace any image.
    POST request to
    /wp-admin/upload.php?action=media_replace_upload
    returns HTTP 403.

    Disabling Upload Checker immediately fixes the issue.

    The request is a legitimate admin request and should be excluded.

    Plugin Support sergecleantalk

    (@sergecleantalk)

    @fiscalwebmaster The new release is planned within 1-2 weeks.

    @deeluuxe Have you tried the fixed version?

     https://github.com/CleanTalk/security-malware-firewall/releases/download/fix-version/security-malware-firewall.zip

    • Go to the WordPress Administrator Panel -> Plugins.
    • Find the plugin ‘Security by CleanTalk’ -> Deactivate.
    • After the automatic page refresh, find the plugin again ‘Security by CleanTalk’ -> Delete. Confirm files deletion.
    • Download the plugin archive from the link.
    • Go to Plugins -> Add New -> Upload Plugin.
    • Choose the downloaded archive and press ‘Install Now’.
    • Once you have installed the plugin, activate it and check that the access key matches the one on your CleanTalk dashboard.
Viewing 7 replies - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.