📄 Description (English)
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.
🤖 AI Executive Summary
CVE-2026-10737 is a critical authorization bypass vulnerability in the SP Project & Document Manager WordPress plugin (versions ≤4.71) that allows unauthenticated attackers to access arbitrary file metadata and download links through a flawed nonce validation logic. The vulnerability affects all files stored in project folders, potentially exposing sensitive business documents, contracts, and confidential data. With no patch currently available and no exploit publicly disclosed, organizations using this plugin face immediate risk of data exfiltration.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 8, 2026 07:17
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations across multiple sectors: (1) Banking & Financial Services (SAMA-regulated entities) - exposure of customer financial documents, loan applications, and transaction records; (2) Government Agencies (NCA oversight) - potential disclosure of classified procurement documents and administrative records; (3) Healthcare Providers - HIPAA-equivalent patient records and medical documentation; (4) Energy Sector (ARAMCO, SABIC) - technical specifications, project plans, and operational documents; (5) Telecommunications (STC, Mobily) - customer contracts and network infrastructure documentation; (6) Real Estate & Construction - architectural plans, contracts, and project specifications. The vulnerability is particularly dangerous for Saudi organizations as many use WordPress-based document management systems for internal collaboration and client-facing portals.
🏢 Affected Saudi Sectors
Banking & Financial Services
Government & Public Administration
Healthcare & Medical Services
Energy & Utilities
Telecommunications
Real Estate & Construction
Legal Services
Education
Retail & E-commerce
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1566 - Phishing
T1589 - Gather Victim Identity Information
T1592 - Gather Victim Host Information
T1526 - Enumerate External Targets
T1087 - Account Discovery
T1040 - Network Sniffing
T1557 - Adversary-in-the-Middle
T1005 - Data from Local System
T1041 - Exfiltration Over C2 Channel
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the SP Project & Document Manager plugin immediately until a patch is released
2. If disabling is not possible, restrict access to admin-ajax.php to authenticated users only via .htaccess or WAF rules
3. Audit server logs for POST requests to admin-ajax.php with action=view_file parameters from unauthenticated sources
4. Identify and secure all files previously accessible through this vulnerability
DETECTION RULES:
- Monitor POST requests to /wp-admin/admin-ajax.php containing 'action=view_file' parameter
- Alert on requests with missing or invalid nonce values combined with file ID parameters
- Flag any unauthenticated access attempts to document retrieval functions
- Review access logs for patterns of sequential file ID enumeration
COMPENSATING CONTROLS:
1. Implement Web Application Firewall (WAF) rules to block admin-ajax.php POST requests from non-authenticated sessions
2. Apply strict file permissions (644 or more restrictive) on project folders
3. Move sensitive project folders outside web root if possible
4. Implement additional authentication layer via reverse proxy or API gateway
5. Enable comprehensive logging and SIEM monitoring for document access attempts
PATCHING GUIDANCE:
- Monitor plugin repository for security update (currently unavailable)
- Consider alternative document management solutions with proper authorization controls
- If update becomes available, test in staging environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بتعطيل إضافة SP Project & Document Manager فوراً حتى يتم إصدار تصحيح
2. إذا كان التعطيل غير ممكن، قيد الوصول إلى admin-ajax.php للمستخدمين المصرحين فقط عبر .htaccess أو قواعد WAF
3. قم بفحص سجلات الخادم للبحث عن طلبات POST إلى admin-ajax.php مع معاملات view_file من مصادر غير مصرحة
4. حدد وأمّن جميع الملفات التي كانت يمكن الوصول إليها من خلال هذه الثغرة
قواعد الكشف:
- راقب طلبات POST إلى /wp-admin/admin-ajax.php التي تحتوي على معامل 'action=view_file'
- أصدر تنبيهات للطلبات التي تحتوي على قيم nonce مفقودة أو غير صحيحة مع معاملات معرف الملف
- علّم أي محاولات وصول غير مصرحة لوظائف استرجاع المستندات
- راجع سجلات الوصول للبحث عن أنماط تعداد معرف الملف المتسلسل
الضوابط البديلة:
1. تطبيق قواعد جدار الحماية (WAF) لحجب طلبات POST إلى admin-ajax.php من جلسات غير مصرحة
2. تطبيق أذونات ملفات صارمة (644 أو أكثر تقييداً) على مجلدات المشاريع
3. نقل مجلدات المشاريع الحساسة خارج جذر الويب إن أمكن
4. تطبيق طبقة مصادقة إضافية عبر reverse proxy أو API gateway
5. تفعيل السجلات الشاملة ومراقبة SIEM لمحاولات الوصول إلى المستندات
إرشادات التصحيح:
- راقب مستودع الإضافات للحصول على تحديث أمني (غير متاح حالياً)
- فكر في حلول إدارة المستندات البديلة مع ضوابط تفويض مناسبة
- إذا أصبح التحديث متاحاً، اختبره في بيئة التجريب قبل نشره في الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.6.1.1 - Information Security Policies and Procedures
ECC 2024 A.6.2.1 - User Access Management
ECC 2024 A.6.2.2 - Privileged Access Rights
ECC 2024 A.7.1.1 - Physical and Logical Access Controls
ECC 2024 A.8.2.1 - Classification of Information
ECC 2024 A.8.2.3 - Handling of Assets
ECC 2024 A.12.4.1 - Event Logging
ECC 2024 A.12.4.3 - Protection of Log Information
🔵 SAMA CSF
SAMA CSF Governance - Policy and Risk Management
SAMA CSF Identify - Asset Management and Access Control
SAMA CSF Protect - Access Control and Authentication
SAMA CSF Detect - Monitoring and Logging
SAMA CSF Respond - Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.8.1.1 - Screening
ISO 27001:2022 A.8.2.1 - User Registration and De-registration
ISO 27001:2022 A.8.2.3 - Management of Privileged Access Rights
ISO 27001:2022 A.8.3.1 - User Access Provisioning
ISO 27001:2022 A.8.3.2 - Privileged Access Rights
ISO 27001:2022 A.8.3.4 - Review of User Access Rights
ISO 27001:2022 A.9.2.1 - User Endpoint Devices
ISO 27001:2022 A.12.4.1 - Event Logging
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Render PAN Unreadable
PCI DSS 6.5.1 - Injection Flaws
PCI DSS 6.5.10 - Broken Authentication
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 7.2 - Ensure User Identity is Properly Identified
PCI DSS 10.2 - Implement Automated Audit Trails
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/sp-client-document-manager/trunk/ajax.php#L155
security@wordfence.com
https://plugins.trac.wordpress.org/browser/sp-client-document-manager/trunk/ajax.php#L39
security@wordfence.com
https://plugins.trac.wordpress.org/browser/sp-client-document-manager/trunk/classes/aja...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2eafe150-2178-4355-88a8-67687...
security@wordfence.com