CVE-2026-10737
Deferred Deferred - Pending Action
SP Project & Document Manager File Access Vulnerability

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Wordfence

Description
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-10737
EUVD
EUVD-2026-34190
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_sp_project_document_manager sp_project_document_manager to 4.71 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The SP Project & Document Manager plugin for WordPress has a vulnerability due to a missing capability check in its view_file function in all versions up to and including 4.71.

This flaw allows unauthenticated attackers to access file metadata and obtain download links for arbitrary files stored inside project folders on the server.

The issue arises because the authorization logic uses a negated nonce check OR-chained with permission checks, so if the nonce is missing or invalid, the entire condition evaluates to true, bypassing all capability and ownership checks.

Only root-level files are protected by a secondary fallback check, leaving all other files inside project folders exposed to unauthenticated users who provide a valid file ID in a POST request to admin-ajax.php.

Impact Analysis

This vulnerability can allow unauthenticated attackers to read sensitive file metadata and download links for arbitrary files stored within project folders on the server.

Since these files may contain sensitive information, unauthorized access could lead to data exposure and potential information leakage.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive file metadata and download links for arbitrary files stored in project folders on the server. Such unauthorized access to sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Because the vulnerability bypasses capability and ownership checks, it undermines the confidentiality requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the admin-ajax.php endpoint that include a valid file ID parameter. Since the vulnerability allows unauthenticated attackers to read file metadata and obtain download links, suspicious POST requests targeting admin-ajax.php with file IDs should be investigated.

You can use network monitoring or web server logs to identify such requests. For example, using command-line tools like grep on your web server access logs to find POST requests to admin-ajax.php:

  • grep 'POST /wp-admin/admin-ajax.php' /var/log/apache2/access.log
  • grep 'file_id=' /var/log/apache2/access.log

Additionally, you can use tools like tcpdump or Wireshark to capture and analyze HTTP POST traffic to the admin-ajax.php endpoint to detect attempts to exploit this vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating the SP Project & Document Manager plugin to a version later than 4.71 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the admin-ajax.php endpoint by implementing firewall rules or web server access controls to block unauthenticated POST requests that include file ID parameters.

Additionally, monitor and audit access logs for suspicious activity targeting this endpoint and consider disabling or limiting the plugin functionality until a patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart