Description
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
Published: 2026-06-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SP Project & Document Manager WordPress plugin contains a missing capability check in the view_file function, allowing the authorization gate to accept a negated nonce check OR‑chained with permission checks. An unauthenticated attacker can send a valid file ID to admin-ajax.php and trigger view_file(), which bypasses both capability and ownership checks. This enables the attacker to read metadata and obtain download links for any file stored inside project folders, exposing potentially sensitive information without needing authentication.

Affected Systems

All released versions of the SP Project & Document Manager plugin for WordPress up to and including version 4.71 are affected. The vulnerability applies to every installation of these versions and persists until the plugin is updated beyond 4.71.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high severity. The EPSS score is currently unavailable, but the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a simple POST request to admin-ajax.php with a file ID, requiring no authentication or additional privileges. The missing authorization check makes exploitation straightforward, and the ability to retrieve arbitrary file links or metadata poses a significant confidentiality risk to users and site administrators.

Generated by OpenCVE AI on June 4, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SP Project & Document Manager plugin to the latest released version that has fixed the missing capability check; the vendor recommends upgrading beyond 4.71.
  • If an immediate plugin update is not possible, restrict access to admin‑ajax.php for unauthenticated users or block the view_file endpoint entirely using web‑application firewall rules or .htaccess restrictions.
  • After applying the patch or performing a blocking measure, review server logs for any unauthenticated file requests and ensure that sensitive files are not exposed; consider disabling the plugin entirely if the risk cannot be mitigated.

Generated by OpenCVE AI on June 4, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Smartypantsplugins
Smartypantsplugins sp Project & Document Manager
Wordpress
Wordpress wordpress
Vendors & Products Smartypantsplugins
Smartypantsplugins sp Project & Document Manager
Wordpress
Wordpress wordpress

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
Title SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure via view_file() Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Smartypantsplugins Sp Project & Document Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-04T12:53:04.020Z

Reserved: 2026-06-03T13:00:59.355Z

Link: CVE-2026-10737

cve-icon Vulnrichment

Updated: 2026-06-04T12:52:57.325Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T02:16:17.503

Modified: 2026-06-04T13:53:09.797

Link: CVE-2026-10737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:45:35Z

Weaknesses