CVE-2026-10737: WordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
The SP Project & Document Manager plugin for WordPress has a serious authorization flaw that allows anyone on the internet to download files from project folders without logging in. The vulnerability stems from a flawed permission check that uses logic errors to bypass all security gates. An attacker only needs to know or guess a file ID to request access through a standard WordPress admin interface, potentially exposing confidential project documents, contracts, customer data, or other sensitive files stored within the plugin.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10737 is an authorization bypass in the SP Project & Document Manager WordPress plugin affecting all versions through 4.71. The view_file function implements a negated nonce check OR-chained with permission checks, creating a logic error: when a nonce is missing or invalid, the negation evaluates to true, short-circuiting the entire condition and bypassing downstream capability and ownership checks. A secondary fallback check only denies access to root-level files (pid == 0), leaving all files stored inside project folders accessible to unauthenticated attackers via POST requests to admin-ajax.php using only a valid file ID. This affects the confidentiality of stored files and metadata, with no integrity or availability impact.
Business impact
Organizations using this plugin to manage sensitive project documentation face direct exposure of confidential materials. An attacker could systematically enumerate file IDs to extract customer data, financial records, legal documents, source code, or architectural plans without detection. The lack of authentication means there is no audit trail of unauthorized access. For managed service providers, consultancies, and enterprises relying on this plugin for client project storage, this vulnerability creates significant compliance and liability risks, particularly under GDPR, HIPAA, or SOC 2 frameworks where unauthorized data access must be reported.
Affected systems
All WordPress installations running the SP Project & Document Manager plugin version 4.71 or earlier are affected. The plugin is deployed on any WordPress site where users upload files to project folders. The vulnerability is network-accessible and requires no special configuration—it affects standard WordPress admin-ajax.php endpoints present on all affected deployments. Sites with public-facing project folders are at highest immediate risk.
Exploitability
This vulnerability is straightforward to exploit. An attacker requires only network access to the WordPress installation and knowledge of a valid file ID—neither authentication nor a user account is required. The exploit path is simple: a POST request to admin-ajax.php with an action parameter pointing to the vulnerable function and a file ID yields file metadata and download links. No special tools, elaborate payloads, or user interaction are needed. The low complexity and lack of authentication requirements classify this as highly exploitable. Active exploitation is likely once the vulnerability is widely publicized.
Remediation
Immediately update the SP Project & Document Manager plugin to a version that implements proper capability checks and corrects the authorization logic. Do not rely on nonce checks alone; capability checks must precede and be enforced independently of nonce validation. Verify that the patched version performs explicit permission validation before granting access to any file, regardless of whether a nonce is present. As an interim mitigation, restrict access to admin-ajax.php via Web Application Firewall rules or network controls to reduce the attack surface, though this is not a complete remediation.
Patch guidance
Consult the official SP Project & Document Manager plugin repository and the vendor's security advisory for the recommended patched version. Update immediately through the WordPress admin interface or directly from the plugin source. After patching, clear any cached authentication tokens or sessions to force re-validation. Perform a spot-check by attempting to access file resources as an unauthenticated user to confirm the vulnerability is resolved. Verify that file access now properly enforces user authentication and ownership checks.
Detection guidance
Monitor web server and application logs for POST requests to admin-ajax.php containing actions related to file retrieval or viewing. Look for requests from non-authenticated sources (no valid session cookie) attempting to access file metadata or download endpoints. Establish baseline patterns of legitimate admin-ajax.php traffic and alert on anomalies such as requests with suspicious file IDs or rapid enumeration attempts. If forensic analysis is needed, check WordPress database logs and file system access logs for unauthorized file reads during the vulnerable period. Consider enabling detailed logging on the plugin if available to capture which files were accessed by whom and when.
Why prioritize this
This vulnerability scores HIGH (CVSS 7.5) and should receive immediate attention because it enables unauthenticated information disclosure of potentially sensitive project files with no barriers to exploitation. The lack of authentication requirements, network accessibility, and high impact on confidentiality make this a priority for rapid patching. Organizations should treat this as urgent if they store confidential materials in project folders managed by this plugin. The absence from CISA's KEV catalog does not diminish the urgency; active exploitation is likely once public awareness increases.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: Network vector (AV:N) - remotely exploitable over the internet; Low complexity (AC:L) - no special conditions or user interaction required; No privileges needed (PR:N) - unauthenticated access; No scope change (S:U) - impact limited to the plugin's files; High confidentiality impact (C:H) - arbitrary file metadata and download links exposed; No integrity or availability impact (I:N/A:N). The high score underscores the serious risk to data confidentiality and the ease of exploitation. Organizations should not discount this vulnerability due to absence from known exploit databases; the simplicity of the attack and broad plugin distribution suggest rapid weaponization is probable.
Frequently asked questions
Can this vulnerability expose files outside the plugin's designated project folders?
According to the technical details, the secondary fallback check only blocks access to root-level files (pid == 0). This means all files stored inside project folders are exposed, but the scope is limited to the plugin's storage structure. However, if the plugin stores files in accessible web-readable directories, an attacker could potentially chain this with other techniques to access unintended files. Review your plugin configuration and file permissions to confirm containment.
Do I need a valid WordPress user account to exploit this?
No. The vulnerability allows completely unauthenticated access. An attacker only needs to know or guess a file ID and make a POST request to admin-ajax.php. No login credentials, session tokens, or nonce values are required. This is what makes the vulnerability particularly dangerous.
How can I check if my site was compromised before patching?
Review WordPress access logs and database logs for the vulnerable period, focusing on POST requests to admin-ajax.php from non-authenticated sources. Check file system access logs and modification times on stored project files. If you have backup snapshots, compare file access timestamps before and after the CVE publication date. Consider consulting a forensic analyst if you suspect unauthorized access occurred.
Is there a temporary workaround while I prepare to patch?
A workaround is not a substitute for patching, but you can reduce exposure by restricting network access to admin-ajax.php at the firewall or Web Application Firewall level to trusted IP ranges only, or by temporarily disabling the plugin if it is not mission-critical. These measures buy time but do not eliminate the vulnerability. Patching is the only complete fix.
This analysis is provided for informational purposes to aid security teams in vulnerability assessment and remediation. SEC.co does not verify the accuracy or completeness of vendor patches or third-party advisories. Organizations should independently verify patch versions and test updates in non-production environments before deployment. The vulnerability details are based on public disclosures and ground-truth source data current as of the publication date; refer to official vendor advisories and security bulletins for the most current information. This write-up is not a substitute for professional security assessment or incident response consultation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation
- CVE-2026-32905HIGHOpenClaw Device-Pair Authorization Bypass (CVSS 8.3)
- CVE-2026-35630HIGHOpenClaw Authorization Bypass in QQBot Approval Buttons
- CVE-2026-42669HIGHEventPrime Missing Authorization Vulnerability (CVSS 7.5)
- CVE-2026-42670HIGHMissing Authorization in Five Star Restaurant Reservations – Data Exposure Risk