Description
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
Published: 2026-06-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SP Project & Document Manager WordPress plugin contains a missing capability check in the view_file function, allowing the authorization gate to accept a negated nonce check OR‑chained with permission checks. An unauthenticated attacker can send a valid file ID to admin-ajax.php and trigger view_file(), which bypasses both capability and ownership checks. This enables the attacker to read metadata and obtain download links for any file stored inside project folders, exposing potentially sensitive information without needing authentication.

Affected Systems

All released versions of the SP Project & Document Manager plugin for WordPress up to and including version 4.71 are affected. The vulnerability applies to every installation of these versions and persists until the plugin is updated beyond 4.71.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high severity. The EPSS score is currently unavailable, but the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a simple POST request to admin-ajax.php with a file ID, requiring no authentication or additional privileges. The missing authorization check makes exploitation straightforward, and the ability to retrieve arbitrary file links or metadata poses a significant confidentiality risk to users and site administrators.

Generated by OpenCVE AI on June 4, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SP Project & Document Manager plugin to the latest released version that has fixed the missing capability check; the vendor recommends upgrading beyond 4.71.
  • If an immediate plugin update is not possible, restrict access to admin‑ajax.php for unauthenticated users or block the view_file endpoint entirely using web‑application firewall rules or .htaccess restrictions.
  • After applying the patch or performing a blocking measure, review server logs for any unauthenticated file requests and ensure that sensitive files are not exposed; consider disabling the plugin entirely if the risk cannot be mitigated.

Generated by OpenCVE AI on June 4, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
Title SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure via view_file() Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-04T01:26:44.640Z

Reserved: 2026-06-03T13:00:59.355Z

Link: CVE-2026-10737

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T02:16:17.503

Modified: 2026-06-04T02:16:17.503

Link: CVE-2026-10737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T02:30:03Z

Weaknesses