CVE-2026-10737: CWE-862 Missing Authorization in smartypants SP Project & Document Manager
The SP Project & Document Manager WordPress plugin contains a missing authorization vulnerability in its view_file function up to version 4. 71. This flaw allows unauthenticated attackers to bypass capability checks and access file metadata and download links for arbitrary files within project folders. The vulnerability arises from a flawed authorization condition that uses a negated nonce check OR-chained with permission checks, causing invalid or missing nonces to bypass all capability and ownership verifications. Only root-level files are protected by a secondary check, leaving all other project folder files exposed to unauthorized access via a crafted POST request to admin-ajax. php.
AI Analysis
Technical Summary
CVE-2026-10737 is a missing authorization vulnerability (CWE-862) in the SP Project & Document Manager plugin for WordPress, affecting all versions up to 4.71. The issue is in the view_file function where the authorization logic incorrectly uses a negated nonce check OR-chained with permission checks. This logic flaw causes the entire authorization condition to evaluate to true if the nonce is missing or invalid, effectively bypassing capability and ownership checks. Consequently, unauthenticated attackers can retrieve file metadata and download links for arbitrary files stored inside project folders, except for root-level files which have a fallback access denial. Exploitation requires only a valid file ID in a POST request to admin-ajax.php.
Potential Impact
An unauthenticated attacker can access sensitive file metadata and download links for arbitrary files stored within project folders on the server. This exposure can lead to unauthorized disclosure of sensitive information. The vulnerability does not allow modification or deletion of files, but the confidentiality of stored data is compromised. Root-level files are protected, but all other files in project folders are accessible without authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to admin-ajax.php and project folder files through web server configuration or other access control mechanisms to prevent unauthorized file access. Monitor for updates from the vendor regarding patches or official mitigations.
CVE-2026-10737: CWE-862 Missing Authorization in smartypants SP Project & Document Manager
Description
The SP Project & Document Manager WordPress plugin contains a missing authorization vulnerability in its view_file function up to version 4. 71. This flaw allows unauthenticated attackers to bypass capability checks and access file metadata and download links for arbitrary files within project folders. The vulnerability arises from a flawed authorization condition that uses a negated nonce check OR-chained with permission checks, causing invalid or missing nonces to bypass all capability and ownership verifications. Only root-level files are protected by a secondary check, leaving all other project folder files exposed to unauthorized access via a crafted POST request to admin-ajax. php.
CVSS v3.1
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-10737 is a missing authorization vulnerability (CWE-862) in the SP Project & Document Manager plugin for WordPress, affecting all versions up to 4.71. The issue is in the view_file function where the authorization logic incorrectly uses a negated nonce check OR-chained with permission checks. This logic flaw causes the entire authorization condition to evaluate to true if the nonce is missing or invalid, effectively bypassing capability and ownership checks. Consequently, unauthenticated attackers can retrieve file metadata and download links for arbitrary files stored inside project folders, except for root-level files which have a fallback access denial. Exploitation requires only a valid file ID in a POST request to admin-ajax.php.
Potential Impact
An unauthenticated attacker can access sensitive file metadata and download links for arbitrary files stored within project folders on the server. This exposure can lead to unauthorized disclosure of sensitive information. The vulnerability does not allow modification or deletion of files, but the confidentiality of stored data is compromised. Root-level files are protected, but all other files in project folders are accessible without authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to admin-ajax.php and project folder files through web server configuration or other access control mechanisms to prevent unauthorized file access. Monitor for updates from the vendor regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-03T13:00:59.355Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a20d5f0e29bf47b503026b4
Added to database: 6/4/2026, 1:33:36 AM
Last enriched: 6/4/2026, 1:48:27 AM
Last updated: 6/4/2026, 3:04:58 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.