CVE-2025-14844
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Tags
Description
The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
Analysis
Restrict Content versions up to 3.2.16 is affected by authorization bypass through user-controlled key (CVSS 8.2).
Technical Context
This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) affects Restrict Content. The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
Affected Products
Vendor: Liquidweb. Product: Restrict Content. Versions: up to 3.2.16.
Remediation
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today