Is it safe to allow non-admin users access to media uploader

WP is reasonably secure for default use cases. In typical workflow it will call wp_check_filetype_and_ext() to verify that file uploaded is of allowed type.

It can get considerably more questionable in regards to security if you customize it to work with non–default kinds of files and you might need to implement your own security checks.

Note that users with special unfiltered_upload capability will be able to upload absolutely anything at all, so be very careful if you are assigning it to any roles.

Related Posts:

  1. Protecting direct access to PDF and ZIP unless user logged in (without plugin)
  2. Password protect some uploaded files, so only logged-in users can view them
  3. How to protect uploads in multisite if user is not logged in?
  4. making media URL secured
  5. WordPress 3.5: Setting custom “full URL path to files” in the Media Library?
  6. simple solution for restricting access to (some) uploads/downloads
  7. what happens to existing media files when I switch to year/month directory structure format?
  8. Set limit to media upload?
  9. Use a separate custom table (not posts) to handle file upload data
  10. Image upload callback in new 3.5 media
  11. Add inline uploader to plugin option page
  12. “Add Media” only shows “Full Size” under Attachment Display Settings
  13. Differentiate Featured Image from Post Images upon Upload
  14. How to call WP3.5 Media Library manager?
  15. I want to replace a media file (pdf) with an updated version
  16. There’s a way to scale media (images) at 50%?
  17. How to get all files inserted (but not attached) to a post
  18. What are the security reasons to disallow Microsoft Word uploads?
  19. Media Uploader: get deleted files
  20. Trigger JS when featured image upload window is opened in admin
  21. Modify the array of selected images in media modal
  22. 3.5 media manager add CSS / JS to new ‘tab’ iframe content
  23. Add/change multipart_params parameter when uploading post image
  24. http error when uploading media files
  25. How to change “Publish” button text for specific page
  26. Saving WordPress generated thumbnails in a subdirectory
  27. Whole bunch of errors on WP website – media upload, edit slugs, edit screen not working [closed]
  28. Add select field to media uploader that adds a class to the image
  29. Retroactively place uploaded media into -month, -year based folders?
  30. wp.media add context
  31. How can I receive the image id using the media box?
  32. media sideload image not working with JPG file
  33. Insert Image automatically when upload finishes wordpress media uploader
  34. How do I modify the url of uploaded media content?
  35. How do I get allowed Media Library upload file extension list?
  36. Use the WP media uploader dialog for uploading a form attachment (non-admin). Offering progress and drag and drop feedback
  37. WordPress bug with capabilities?
  38. Display attachments by the ID of the post being edited in the wp.media frame (frontend)
  39. Media Gallery Upload photo incorrect way like glitch
  40. media_handle_upload() progress bar
  41. WordPress uploads autocreate folder every month
  42. Enabling users to upload files
  43. ‘An error occurred in the upload. Please try again later.’ for users with different roles
  44. Is there a way to make my media files unsearchable?
  45. Is it possible to use media_sideload_image to upload local files?
  46. Attach media to post by media category
  47. upload_max_filesize is set to 64 MB already but WordPress is still showing 2 MB
  48. PHP error when trying to upload .mp3 files via Media Library [closed]
  49. How to fix the orientation of images when uploading via the WordPress Media Uploader? [closed]
  50. Is it possible to import all files from a uploads DIR into WP media, retaining paths to the files
  51. How does WordPress decides how many sizes of an image to create?
  52. Flat media folder vs multiple directories
  53. Move media files from the root to date folder structure
  54. Big file upload give HTTP error
  55. Can you limit the size of media files being uploaded not using php.ini?
  56. Image upload to media library fails. Folder won’t create, database insert fail, XAMPP Windows
  57. Send media uploads to different directories
  58. Open Media Uploader Link in single post or page
  59. Remove Media File Items From Server That Do Not Exist in Media Library
  60. How to change archieve frequency of the media file in uploads folder for wordpress blog
  61. Cropping thumbnails to specific dimensions on front end post
  62. How to limit sizes for specific upload programmatically?
  63. Using WP-CLI “wp media import” to sync files to the media library
  64. Import media (.xml) does not attribute featured images to posts
  65. Efficient way to move media folder to another folder
  66. Make inline uploader (plupload) on options page upload to a specific folder
  67. Blog suddenly can’t display .jpg
  68. MIME type not supporting HEIC support type in WordPress
  69. media file uploading
  70. Modify Maximum upload file size text in WordPress Media
  71. Replicate Media Galley Edit view in Add Media View
  72. Front-End Upload media with category
  73. How to manually set an attachment in a post?
  74. Adding attachment custom field metadata to TinyMCE tag
  75. Sanitizing existing media library paths and page links from foreign characters
  76. Issue with upload.php with media
  77. Media files not loading
  78. Media files not loading
  79. Set default “Link CSS Class” in add media admin editor
  80. media_sideload_image results in http error (500)
  81. How could you allow users to upload a video in within their profile and display it on a wordpress site?
  82. How to share media between independent blogs?
  83. media_handle_upload on mix form fields (not required file input)
  84. Check if author or uploader id of the attachment(uploaded) image is match?
  85. WP Capabilities to Add Media, Use Media, But Not Edit Them
  86. Limit attachment caption characters
  87. Don’t show avatars in media library
  88. Organizing the Media Library for Cleanup
  89. Drag and Drop Media Not Working in Windows 10 Edge Browser
  90. WP upload/select image , isn’t this a security issue?
  91. Insert media while posting is not working with new wordpress update
  92. Media Library broken images
  93. What is the best way to upload a temporary & sensitive file and then delete it when done
  94. Make custom thumbnail size image in media_sideload_image function
  95. Importing blog failed to download attachments from older (still online) blog
  96. Upload more than one media files with a post
  97. Media Gallery doesn’t show (using WP-Read Only)
  98. Single file upload
  99. Can’t upload files 1MB+ [closed]
  100. Image in binary in the data to WordPress media library