Upload Checker module appears to block Enable Media Replace
-
Hello,
We’re running CleanTalk Security & Malware Firewall (security-malware-firewall) on a WordPress 7.0 site and appear to have traced a reproducible conflict between the plugin’s Upload Checker module and the Enable Media Replace plugin. I’d like to report it and ask whether a targeted exclusion is possible so we don’t have to disable the module site-wide.
Symptom
When a user attempts to replace an existing media file via Enable Media Replace, the request fails with the WordPress error page “You do not have sufficient permissions to upload files.” The browser tab title on the error page reads “Upload Checker Exceeded.” A normal new media upload (Media > Add New) succeeds without issue – only the replace action appears to fail.Affected request
POST to /wp-admin/upload.php?page=enable-media-replace/enable-media-replace.php&action=media_replace_upload&attachment_id=XXXXXWhat we ruled out before identifying the likely cause
- WordPress 7.0 did not change Editor role capabilities; the affected user has upload_files (new uploads work).
- Enable Media Replace was updated to the current version; the error persisted.
- SiteGround server-level: nginx/Apache error log shows no 403 or ModSecurity entry at the time of the failed replace.
- SiteGround access log shows the site serving normally (admin actions, media, large PDFs all 200).
- CleanTalk Security FireWall log: across ~5,000 rows, waf_attack_type = NONE on every row, with no WAF block against the affected users – all our denials are external bots hitting wp-login.php / xmlrpc.php. So this does not appear to be caught or logged as a WAF attack.
- It does not appear to be a role/capability issue: the error also reproduces for an Administrator, suggesting it is not keyed on upload_files.
Likely cause (Query Monitor call stack)
The error page reports “This message was triggered by security-malware-firewall,” with the following call stack:wp_die()
spbc_upload_checker__check()
wp-content/plugins/security-malware-firewall/inc/spbc-firewall.php:205
Closure on line 256 of wp-content/plugins/security-malware-firewall/security-malware-firewall.php
wp-content/plugins/security-malware-firewall/security-malware-firewall.php:256
do_action(‘init’)
wp-settings.php:771This suggests the Upload Checker module (spbc_upload_checker__check) is firing on the init hook and calling wp_die() on the Enable Media Replace media_replace_upload request.
What the behaviour appears to indicate
The Upload Checker does not appear to be rejecting file content. The same image uploads successfully as a new file with the module enabled, but replacing that identical, already-uploaded file via Enable Media Replace is blocked with the call stack above. This suggests the module may be reacting to the media_replace_upload action path itself rather than to the file being scanned.Confirmation steps we ran
- With “Run the Upload Checker module for uploaded files” (Settings > Security by CleanTalk > General Settings) toggled OFF, the replace completes successfully (“Your image has been successfully replaced!”).
- With the module toggled back ON, a new upload still succeeds, but replacing that same newly-uploaded file is blocked again with the identical call stack.
This appears to isolate the Upload Checker module as the trigger.
Question
Is there a way to exclude the Enable Media Replace action (action=media_replace_upload) — or otherwise allow this admin media-replace flow — from the Upload Checker module, so we can keep upload malware scanning enabled site-wide rather than disabling the module entirely? If the Upload Checker flagging the media_replace_upload request looks like a bug at your end, please treat this as a report of that conflict.We also noticed a recent thread on the WordPress.org support forum (“Upload whitelist?”, 24 June 2026) where another user described blocked uploads from a legitimate trusted-user flow and asked about whitelisting; your support reply pointed them to the same Upload Checker toggle. We don’t know whether their root cause was the same, but the symptoms and the request are similar enough that it may be related. We’d be keen to know whether a more granular exclusion is possible rather than turning the module off entirely.
Environment
- WordPress 7.0
- CleanTalk Security & Malware Firewall (security-malware-firewall) — current version
- Enable Media Replace — current version
- Hosting: SiteGround
- Site: fiscaltec.com
Happy to provide any further logs. Thank you.
You must be logged in to reply to this topic.
