CVE-2025-14844: WordPress Membership Plugin Auth Bypass

CVE-2025-14844 Overview

The Membership Plugin – Restrict Content for WordPress contains a critical Missing Authentication vulnerability affecting all versions up to and including 3.2.16. The vulnerability exists in the rcp_stripe_create_setup_intent_for_saved_card function, which lacks proper capability checks, allowing unauthenticated attackers to access sensitive Stripe payment information.

This Authorization Bypass flaw (CWE-639) enables attackers to leak Stripe SetupIntent client_secret values for any membership without authentication. The lack of proper user-controlled key validation combined with missing authentication checks creates a significant exposure of sensitive payment gateway data.

Critical Impact
Unauthenticated attackers can extract Stripe SetupIntent client_secret values for any membership, potentially enabling payment fraud and unauthorized access to payment infrastructure.

Affected Products

Membership Plugin – Restrict Content for WordPress versions ≤ 3.2.16
WordPress sites using Stripe payment gateway integration with the affected plugin
All membership configurations utilizing the vulnerable Stripe functions

Discovery Timeline

2026-01-16 - CVE CVE-2025-14844 published to NVD
2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-14844

Vulnerability Analysis

This vulnerability represents an Authorization Bypass Through User-Controlled Key flaw (CWE-639) in the Restrict Content plugin's Stripe integration functionality. The root cause is a missing capability check in the rcp_stripe_create_setup_intent_for_saved_card function located in the plugin's Stripe gateway functions file.

When processing requests to create setup intents for saved cards, the plugin fails to verify whether the requesting user has appropriate permissions to access the requested membership data. Furthermore, the plugin does not properly validate user-controlled keys, allowing attackers to enumerate and access SetupIntent data across different membership accounts.

The Stripe SetupIntent client_secret is a sensitive value that should only be accessible to the legitimate customer. When exposed, this secret can be used to confirm the SetupIntent and potentially manipulate payment methods associated with the membership.

Root Cause

The vulnerability stems from two critical security oversights in the plugin's Stripe integration:

Missing Capability Check: The rcp_stripe_create_setup_intent_for_saved_card function does not implement WordPress capability checks (current_user_can()) to verify the requesting user has authorization to perform the action.
Improper Access Control on User-Controlled Keys: The function accepts user-supplied identifiers without verifying ownership, allowing attackers to request SetupIntent data for arbitrary memberships by manipulating request parameters.

The vulnerable code paths can be reviewed in the WordPress Plugin Code Reference and the related function implementation.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying WordPress sites running the vulnerable Restrict Content plugin with Stripe integration
Crafting requests to the rcp_stripe_create_setup_intent_for_saved_card AJAX endpoint
Manipulating membership identifiers to enumerate and extract client_secret values
Leveraging the exposed secrets to potentially manipulate payment methods or conduct financial fraud

The vulnerability is particularly concerning because it exposes payment infrastructure secrets without requiring any prior authentication to the WordPress site.

Detection Methods for CVE-2025-14844

Indicators of Compromise

Unusual volume of AJAX requests to rcp_stripe_create_setup_intent_for_saved_card endpoint from unauthenticated sessions
Sequential or enumeration-pattern requests targeting different membership IDs
Requests to Stripe-related AJAX handlers from IP addresses with no associated user sessions
Unexpected Stripe API activity related to SetupIntent retrieval without corresponding legitimate user actions

Detection Strategies

Monitor WordPress AJAX request logs for unauthenticated calls to rcp_stripe_create_setup_intent_for_saved_card
Implement rate limiting on Stripe-related AJAX endpoints to detect enumeration attempts
Review Stripe dashboard logs for unusual SetupIntent creation or retrieval patterns
Deploy Web Application Firewall (WAF) rules to detect parameter manipulation in membership-related requests

Monitoring Recommendations

Enable detailed WordPress request logging for the admin-ajax.php endpoint
Configure Stripe webhook monitoring for anomalous SetupIntent activity
Implement alerting for high-frequency requests to payment gateway functions
Review access logs for requests containing membership parameters from unauthenticated sources

How to Mitigate CVE-2025-14844

Immediate Actions Required

Update the Membership Plugin – Restrict Content to version 3.2.17 or later immediately
Audit Stripe dashboard for any suspicious SetupIntent activity during the exposure window
Review access logs for potential exploitation attempts before patching
Consider temporarily disabling the Stripe payment gateway if immediate update is not possible

Patch Information

The vulnerability has been addressed in version 3.2.17 of the Restrict Content plugin. The fix implements proper capability checks and validates user ownership of membership data before processing Stripe SetupIntent requests.

The patch details can be reviewed in the WordPress Plugin Changeset. Additional vulnerability details are available through the Wordfence Vulnerability Database.

Workarounds

Implement WAF rules to restrict access to the vulnerable AJAX endpoint until patching is complete
Temporarily disable the Stripe payment gateway integration if the update cannot be applied immediately
Use WordPress security plugins to add capability checks at the request level for unauthenticated AJAX calls
Monitor and rate-limit requests to admin-ajax.php targeting Stripe-related actions

bash

# Configuration example - Add to .htaccess to restrict AJAX endpoint access temporarily
# Block unauthenticated access to specific AJAX actions
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} admin-ajax\.php
RewriteCond %{QUERY_STRING} action=rcp_stripe_create_setup_intent [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in
RewriteRule .* - [F,L]
</IfModule>

CVE-2025-14844 Overview

Critical Impact
Unauthenticated attackers can extract Stripe SetupIntent client_secret values for any membership, potentially enabling payment fraud and unauthorized access to payment infrastructure.

Affected Products

Membership Plugin – Restrict Content for WordPress versions ≤ 3.2.16
WordPress sites using Stripe payment gateway integration with the affected plugin
All membership configurations utilizing the vulnerable Stripe functions

Discovery Timeline

2026-01-16 - CVE CVE-2025-14844 published to NVD
2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-14844

Vulnerability Analysis

Root Cause

The vulnerability stems from two critical security oversights in the plugin's Stripe integration:

Missing Capability Check: The rcp_stripe_create_setup_intent_for_saved_card function does not implement WordPress capability checks (current_user_can()) to verify the requesting user has authorization to perform the action.
Improper Access Control on User-Controlled Keys: The function accepts user-supplied identifiers without verifying ownership, allowing attackers to request SetupIntent data for arbitrary memberships by manipulating request parameters.

The vulnerable code paths can be reviewed in the WordPress Plugin Code Reference and the related function implementation.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying WordPress sites running the vulnerable Restrict Content plugin with Stripe integration
Crafting requests to the rcp_stripe_create_setup_intent_for_saved_card AJAX endpoint
Manipulating membership identifiers to enumerate and extract client_secret values
Leveraging the exposed secrets to potentially manipulate payment methods or conduct financial fraud

The vulnerability is particularly concerning because it exposes payment infrastructure secrets without requiring any prior authentication to the WordPress site.

Detection Methods for CVE-2025-14844

Indicators of Compromise

Unusual volume of AJAX requests to rcp_stripe_create_setup_intent_for_saved_card endpoint from unauthenticated sessions
Sequential or enumeration-pattern requests targeting different membership IDs
Requests to Stripe-related AJAX handlers from IP addresses with no associated user sessions
Unexpected Stripe API activity related to SetupIntent retrieval without corresponding legitimate user actions

Detection Strategies

Monitor WordPress AJAX request logs for unauthenticated calls to rcp_stripe_create_setup_intent_for_saved_card
Implement rate limiting on Stripe-related AJAX endpoints to detect enumeration attempts
Review Stripe dashboard logs for unusual SetupIntent creation or retrieval patterns
Deploy Web Application Firewall (WAF) rules to detect parameter manipulation in membership-related requests

Monitoring Recommendations

Enable detailed WordPress request logging for the admin-ajax.php endpoint
Configure Stripe webhook monitoring for anomalous SetupIntent activity
Implement alerting for high-frequency requests to payment gateway functions
Review access logs for requests containing membership parameters from unauthenticated sources

How to Mitigate CVE-2025-14844

Immediate Actions Required

Update the Membership Plugin – Restrict Content to version 3.2.17 or later immediately
Audit Stripe dashboard for any suspicious SetupIntent activity during the exposure window
Review access logs for potential exploitation attempts before patching
Consider temporarily disabling the Stripe payment gateway if immediate update is not possible

Patch Information

The patch details can be reviewed in the WordPress Plugin Changeset. Additional vulnerability details are available through the Wordfence Vulnerability Database.

Workarounds

Implement WAF rules to restrict access to the vulnerable AJAX endpoint until patching is complete
Temporarily disable the Stripe payment gateway integration if the update cannot be applied immediately
Use WordPress security plugins to add capability checks at the request level for unauthenticated AJAX calls
Monitor and rate-limit requests to admin-ajax.php targeting Stripe-related actions

bash

# Configuration example - Add to .htaccess to restrict AJAX endpoint access temporarily
# Block unauthenticated access to specific AJAX actions
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} admin-ajax\.php
RewriteCond %{QUERY_STRING} action=rcp_stripe_create_setup_intent [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in
RewriteRule .* - [F,L]
</IfModule>

CVE-2025-14844: WordPress Membership Plugin Auth Bypass

CVE-2025-14844 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-14844

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-14844

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-14844

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-14844: WordPress Membership Plugin Auth Bypass

CVE-2025-14844 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-14844

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-14844

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-14844

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform