Support » Fixing WordPress » Cheatin uh? (When trying to upload media via 3rd party theme)

  • I had a problem exactly as described in this thread:

    Since the topic was closed, it will end up sinking to the bottom of the forum – so I wanted to point out the ONLY FIX I’m aware of so far, without waiting for the theme developers to make updates. Fix thanks to crazy.adeel:

    open media-upload.php from admin folder.
    goto line# 125
    remove line#125 and replace it with below
    if ( ! empty( $_REQUEST[‘post_id’] ) && current_user_can( ‘edit_post’ , $_REQUEST[‘post_id’] ) )

    don’t change line#126 ..

    That’s it. Basically, the change was removing “!” in front of current_user_can(‘edit_post’ … so that it doesn’t care whether or not you can edit a post.

    Obviously this is less than ideal of a fix since it opens up a security hole – however, some of us don’t have the luxury of explaining to clients that they have to wait for a wordpress or a theme update.

    Hope this helps someone else out there as much as it helped me! Note to mods – please don’t close threads on active issues. If you want to point the finger at theme developers, fine. But don’t squash the conversation. Please.

Viewing 15 replies - 1 through 15 (of 30 total)
  • I had this problem with wp3.4 and 3.4.1. So I decided to install wp 3.3 and that helped. Good luck 😉

    Thanks producerism,

    That fixed my issue temporarily.

    Hopefully something is updated soon so we don’t require a security hole to be able to upload things.

    The fix should reside in the theme, not in core. WordPress changed post_id to post_ID so the uppercase ID will through off the upload function.

    Note this post here:

    Simply changing the line towards the bottom that reads tb_show(”, ‘media-upload.php?post_id=0&type=image&TB_iframe=true’); to tb_show(”, ‘media-upload.php?post_ID=0&type=image&TB_iframe=true’); will solve the issue and you won’t have to touch core. The code assumed that the admin would have a hidden field called ‘post_id’ but the WordPress upgrade changed that field so it chokes.

    If you modify core the next time you do an upgrade the same issue will more than likely occur unless it’s fixed from the theme side because WP change the id from lowercase to uppercase.

    Hope this helps users on this forum and others.

    Thank you kevinslane!

    Turns out that was the problem in a custom plugin we had.

    All fixed now and no changes to core required.


    To kevinslane,

    The fix should reside in the theme, not in core. WordPress changed post_id to post_ID so the uppercase ID will through off the upload function.

    Could you show me the source? I think you’re wrong.

    Media Uploader restricts post ID for some reason in WordPress 3.3.3 or later. See Changeset 21048 for trunk/wp-admin/media-upload.php that is core in you-speak.

    When you replace post_id with post_ID, Media Uploader seems to work because post_ID is invalid name and equal to no parameter.

    • Without post_id parameter, it works as post_id=0
    • If post_id=0, it works
    • If post_id=123, it does not work since post ID is restricted
    • If post_ID=0, it works since post_ID is invalid name
    • If post_ID=123, it works since post_ID is invalid name

    @ kevinslane

    tb_show(”, ‘media-upload.php?post_id=0&type=image&TB_iframe=true’);

    Can you please help me to locate the file where we need to make those changes and at which line.

    If you zip your theme and send to me @anish_annu I will be happy to update and send back. Just zip your theme and I can download and I will send back the appropriate file that will be modified.


    Thanks @ kevinslane for your response and asking me for the following0-

    If you zip your theme and send to me @anish_annu

    But i would appreciate if you could let me know, i can do it on my own also, if you would like to help me further on this.

    You will need to find the file in your theme that does the custom upload which will more than likely be a .js file. I have know way of knowing what the name of that is w/o seeing the theme structure as all themes are built differently. Or you could grep for a specific term on all of the files in your theme to find out where this function resides.


    Hi Kevin—
    I am also having the same problem and do not have much of a background in work on the web. Am I looking for the “id” to capitalize under the “editor” tab on WP?

    @ kevinslane
    Thanks again for responding so fast.
    I have found the file and code but that seems slightly different than what is explained in your post.
    Here goes the link for the file

    Can you please help me to address the issue in the coding of this file.

    The link seems not working, i am attaching it again, if it didn’t work again, then let me know how can i send that file.
    Link goes

    thanks a lot Producerism it really helped me on

    Please see here anish_annu:

    Follow this link and download the new file.


    @prbenson, you will not be able to do anything within WordPress. You will need to modify your theme and have some basic knowledge of the structure of your theme and locating the appropriate file. Without knowing how to do either you will need to ask the editor of your theme or send me the theme as a zip via and I can try to assist just as I did with anish_annu.


Viewing 15 replies - 1 through 15 (of 30 total)
  • The topic ‘Cheatin uh? (When trying to upload media via 3rd party theme)’ is closed to new replies.