How is CVE-2026-10737 exploited?

Network reachability (required): The attacker must be able to send an HTTP POST request to the target WordPress site's admin-ajax.php endpoint over the network; no LAN or physical proximity is required. Authentication (not-required): No account or credential of any kind is needed; supplying only a valid file ID in the POST body is sufficient to trigger the vulnerability. Victim interaction (not-required): The attack is entirely server-side; no user needs to click a link, open a file, or take any other action for exploitation to succeed. Attack complexity (info): Exploitation is reliable and condition-free, requiring only knowledge of a valid file ID; no race conditions or special environmental factors apply.

What is the impact of CVE-2026-10737?

Attacker retrieves metadata (file names, paths, ownership details) for any file stored inside project folders on the WordPress server. Attacker obtains direct download links for those files, enabling them to exfiltrate documents such as contracts, invoices, internal reports, or credentials stored in project directories. Sensitive information exposed through downloaded files can be used for follow-on attacks such as credential stuffing, social engineering, or targeted phishing.

Back to search

HIGHCVE-2026-10737Published 2026-06-04Modified 2026-06-04CNA Wordfence

CVE-2026-10737: SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure via view_file() Function

Q: What is CVE-2026-10737?

Missing authorization check in the SP Project & Document Manager plugin for WordPress (versions up to and including 4.71) allows any unauthenticated attacker to read file metadata and retrieve download links for arbitrary files stored inside project folders. The flaw stems from a logic error in the view_file() function where a negated nonce check is OR-chained with permission checks, causing a missing or invalid nonce to bypass all capability and ownership verification entirely. Successful exploitation exposes sensitive project documents to anyone who can reach the WordPress site's admin-ajax.php endpoint and supply a valid file ID. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

Q: Is CVE-2026-10737 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing authorization check in the SP Project & Document Manager plugin for WordPress (versions up to and including 4.71) allows any unauthenticated attacker to read file metadata and retrieve download links for arbitrary files stored inside project folders. The flaw stems from a logic error in the view_file() function where a negated nonce check is OR-chained with permission checks, causing a missing or invalid nonce to bypass all capability and ownership verification entirely. Successful exploitation exposes sensitive project documents to anyone who can reach the WordPress site's admin-ajax.php endpoint and supply a valid file ID. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and NVD) within minutes of publication and matched against customer images containing the SP Project & Document Manager plugin, including custom-built WordPress images. Any image layer that includes the plugin at version 4.71 or below is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each customer environment's compliance policy, escalating findings that involve publicly reachable WordPress deployments. Routed alerts reach the inbox or ticketing integration configured for the affected workload's owning team.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send an HTTP POST request to the target WordPress site's admin-ajax.php endpoint over the network; no LAN or physical proximity is required.
AuthenticationNot required
No account or credential of any kind is needed; supplying only a valid file ID in the POST body is sufficient to trigger the vulnerability.
Victim interactionNot required
The attack is entirely server-side; no user needs to click a link, open a file, or take any other action for exploitation to succeed.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring only knowledge of a valid file ID; no race conditions or special environmental factors apply.

Blast Radius

Attacker retrieves metadata (file names, paths, ownership details) for any file stored inside project folders on the WordPress server.
Attacker obtains direct download links for those files, enabling them to exfiltrate documents such as contracts, invoices, internal reports, or credentials stored in project directories.
Sensitive information exposed through downloaded files can be used for follow-on attacks such as credential stuffing, social engineering, or targeted phishing.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-10737, HarborGuard monitors the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention. In the interim, compensating controls available to consider include network-policy rules that restrict unauthenticated access to admin-ajax.php at the ingress or WAF layer, egress filtering to limit exfiltration paths from the WordPress host, and auditing existing project folder contents for sensitive documents that should be relocated or access-gated outside the plugin's storage path. HarborGuard will surface this CVE in scan results for any image containing SP Project & Document Manager at 4.71 or below until a fix is confirmed upstream.

See how HarborGuard automates this

Affected packages

smartypants / SP Project & Document Manager
≤ 4.71

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified