CVE-2026-10737 Overview
CVE-2026-10737 is a missing authorization vulnerability in the SP Project & Document Manager plugin for WordPress, affecting all versions up to and including 4.71. The flaw resides in the view_file function, which fails to enforce capability checks before exposing file metadata and download links. Unauthenticated attackers can issue a POST request to admin-ajax.php with a valid file ID to retrieve sensitive documents stored inside project folders. The vulnerability is tracked under [CWE-862] (Missing Authorization).
Critical Impact
Unauthenticated remote attackers can enumerate and download arbitrary files stored within project folders, leading to disclosure of confidential client documents.
Affected Products
- SP Project & Document Manager plugin for WordPress
- All versions up to and including 4.71
- WordPress sites exposing the plugin's admin-ajax.php endpoints
Discovery Timeline
- 2026-06-04 - CVE CVE-2026-10737 published to NVD
- 2026-06-04 - Last updated in NVD database
Technical Details for CVE-2026-10737
Vulnerability Analysis
The view_file function in the SP Project & Document Manager plugin implements a broken authorization gate. The logic combines a negated nonce check with permission checks using an OR operator. When the nonce is missing or invalid, the negated condition evaluates to true and short-circuits the entire expression, bypassing all preceding capability and ownership validations.
A secondary fallback check only denies access when the parent project ID equals zero, treating root-level files as protected. Files associated with any non-zero project ID remain fully reachable. Unauthenticated callers obtain file metadata and signed download URLs by submitting only a numeric file identifier.
Root Cause
The root cause is faulty boolean logic in the authorization gate. The use of OR-chained conditions with a negated nonce verification inverts the intended security control. Instead of requiring both a valid nonce and an authorized user, the function grants access whenever any branch evaluates favorably, including the failure path of the nonce check.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted POST request to admin-ajax.php containing the view_file action and a target file ID. The server responds with metadata and a download link for the requested file. Attackers iterate through sequential file IDs to enumerate documents stored across all project folders on the host.
The vulnerability mechanism is documented in the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-10737
Indicators of Compromise
- Unauthenticated POST requests to /wp-admin/admin-ajax.php containing the action=view_file parameter
- Sequential or rapid enumeration of numeric id values within view_file requests from a single source IP
- Outbound responses from admin-ajax.php containing download URLs referencing the plugin's upload directories
Detection Strategies
- Inspect web server access logs for POST requests to admin-ajax.php referencing the view_file action without an authenticated session cookie
- Deploy WAF rules that block unauthenticated invocations of plugin AJAX actions associated with file retrieval
- Correlate spikes in 200-response file metadata responses with absence of wp_logged_in_* cookies
Monitoring Recommendations
- Monitor file access patterns within the plugin's storage directory for unusual download volume
- Alert on repeated admin-ajax.php requests from a single IP iterating through numeric identifiers
- Track plugin version inventory across hosted WordPress sites to identify vulnerable installations
How to Mitigate CVE-2026-10737
Immediate Actions Required
- Identify all WordPress instances running the SP Project & Document Manager plugin version 4.71 or earlier
- Disable or remove the plugin on sites where an updated patched version is not yet available
- Restrict access to admin-ajax.php for unauthenticated users through firewall or reverse proxy rules where feasible
- Audit existing file storage directories for evidence of unauthorized download activity
Patch Information
At the time of NVD publication on 2026-06-04, no fixed version is listed in the available references. Administrators should consult the Wordfence Vulnerability Report and the plugin's WordPress.org listing for the latest remediation guidance.
Workarounds
- Block unauthenticated POST requests to admin-ajax.php with action=view_file at the WAF or reverse proxy layer
- Move sensitive project files outside the web-accessible directory until a patched plugin version is installed
- Apply IP allowlisting on /wp-admin/ endpoints for environments that do not require public administrative access
# Example nginx rule to block unauthenticated view_file requests
location = /wp-admin/admin-ajax.php {
if ($request_method = POST) {
if ($args ~* "action=view_file") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
