[wp-trac] [WordPress Trac] #64617: Media Uploader: Incorrect fallback error message when filename contains special characters (apostrophes)

WordPress Trac noreply at wordpress.org
Thu Feb 12 13:05:10 UTC 2026 

#64617: Media Uploader: Incorrect fallback error message when filename contains
special characters (apostrophes)
--------------------------+--------------------------------
 Reporter:  sflwa         |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Media         |     Version:  6.9.1
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:  ui, accessibility
--------------------------+--------------------------------

Comment (by sflwa):

 @hbhalodia — I’ve uploaded a PDF and a PNG for testing. Following up on
 this, I’ve coordinated with LiquidWeb, and they provided the
 Apache/ModSecurity logs below.

 While this appears to be an environment-specific interaction, it
 highlights a significant "silent failure" in how WordPress handles server-
 side interceptions. When ModSecurity triggers a 403 on `async-upload.php`,
 the UI doesn't provide enough context for a developer to differentiate
 between a core bug, a plugin conflict, or a server-level security block.

 I believe Core would benefit from more robust error detection or
 descriptive reporting for these types of edge cases. It would prevent
 developers from chasing logic bugs when the issue is actually a resource-
 level denial.

 **Server Logs:**

 {{{
 [Wed Feb 11 20:19:05 2026] [mime_magic:error] [pid 1238722:tid
 140528628782656] [client #.#.#.#:0] AH01512: mod_mime_magic: can't read
 `/home/path/html/wp-admin/async-upload.php', referer https://domain/wp-
 admin/upload.php

 [Wed Feb 11 20:19:05 2026] [-:error] [pid 1238722:tid 140528628782656]
 [client #.#.#.#:0] [client #.#.#.#] ModSecurity: Access denied with code
 403 (phase 2). String match "on" at TX:anomaly_score_blocking. [file
 "/etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf"] [line
 "54"] [id "981176"] [msg "Anomaly Score Summary (General: 9/5,
 Nexcess_Custom: 0/5, SQLi=0/15, XSS=0/30)"] [severity "CRITICAL"]
 [hostname "HOST"] [uri "/wp-admin/async-upload.php"] [unique_id
 "aYzkOdK2rNouI2UOnld2YgAAAIY"], referer https://domain/wp-admin/upload.php

 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64617#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list