CVE-2026-10737
Received Received - Intake
SP Project & Document Manager File Access Vulnerability

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Wordfence

Description
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-04
AI Q&A
2026-06-04
EPSS Evaluated
N/A
NVD
CVE-2026-10737
EUVD
EUVD-2026-34190
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_sp_project_document_manager sp_project_document_manager to 4.71 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The SP Project & Document Manager plugin for WordPress has a vulnerability due to a missing capability check in its view_file function in all versions up to and including 4.71.

This flaw allows unauthenticated attackers to access file metadata and obtain download links for arbitrary files stored inside project folders on the server.

The issue arises because the authorization logic uses a negated nonce check OR-chained with permission checks, so if the nonce is missing or invalid, the entire condition evaluates to true, bypassing all capability and ownership checks.

Only root-level files are protected by a secondary fallback check, leaving all other files inside project folders exposed to unauthenticated users who provide a valid file ID in a POST request to admin-ajax.php.


How can this vulnerability impact me? :

This vulnerability can allow unauthenticated attackers to read sensitive file metadata and download links for arbitrary files stored within project folders on the server.

Since these files may contain sensitive information, unauthorized access could lead to data exposure and potential information leakage.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated attackers to access sensitive file metadata and download links for arbitrary files stored in project folders on the server. Such unauthorized access to sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Because the vulnerability bypasses capability and ownership checks, it undermines the confidentiality requirements mandated by these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart