{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14844", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-17T18:34:48.898Z", "datePublished": "2026-01-16T09:23:46.932Z", "dateUpdated": "2026-04-08T16:35:02.041Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:02.041Z"}, "affected": [{"vendor": "stellarwp", "product": "Membership Plugin \u2013 Restrict Content", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."}], "title": "Membership Plugin \u2013 Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987"}, {"url": "https://docs.stripe.com/api/setup_intents/object"}, {"url": "https://cwe.mitre.org/data/definitions/639.html"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "timeline": [{"time": "2025-12-17T18:50:59.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-15T20:39:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T12:48:39.518455Z", "id": "CVE-2025-14844", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T12:50:27.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T12:48:39.518455Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T12:50:22.948Z"}}], "cna": {"title": "Membership Plugin \u2013 Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "Membership Plugin \u2013 Restrict Content", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-17T18:50:59.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-15T20:39:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848"}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987"}, {"url": "https://docs.stripe.com/api/setup_intents/object"}, {"url": "https://cwe.mitre.org/data/definitions/639.html"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php"}], "descriptions": [{"lang": "en", "value": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:02.041Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14844", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:02.041Z", "dateReserved": "2025-12-17T18:34:48.898Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-16T09:23:46.932Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:liquidweb:restrict_content:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4029F83A-38F5-4132-92F3-E0639BEF0DE4", "versionEndExcluding": "3.2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."}], "id": "CVE-2025-14844", "lastModified": "2026-01-23T17:09:18.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-16T10:16:04.330", "references": [{"source": "security@wordfence.com", "tags": ["Technical Description"], "url": "https://cwe.mitre.org/data/definitions/639.html"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://docs.stripe.com/api/setup_intents/object"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:39:21.895830+00:00", "value": {"mitigation_remediation": ["Upgrade the Restrict Content plugin to version 3.2.17 or later, which removes the capability check and protects the Stripe SetupIntent values", "If an upgrade is not immediately possible, disable the stripe gateway or remove the rcp_stripe_create_setup_intent_for_saved_card function temporarily to prevent unauthenticated calls", "Implement a security review of the plugin\u2019s code to ensure that all endpoints performing sensitive operations enforce proper capability checks and authentication before providing any data"], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Exposure via unauthenticated access to Stripe SetupIntent client secrets"}, "threat_synthesis": {"affected_systems": "All installations of the StellarWP Restrict Content plugin on WordPress sites running version 3.2.16 or earlier are vulnerable. The issue is present in every build up to and including 3.2.16, regardless of other site or plugin configurations.", "description_and_impact": "The Restrict Content plugin for WordPress exhibits a missing authentication flaw in the rcp_stripe_create_setup_intent_for_saved_card function, allowing any user to call the function without sufficient capability checks. This leads to the exposure of Stripe SetupIntent client_secret values for any membership, revealing sensitive payment data that could be used for fraudulent activities or unauthorized access to billing information. The weakness is classified as CWE\u2011639, which describes misuse of input leading to authorization bypass or information disclosure.", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity, and the EPSS score of less than 1% suggests a low probability of immediate exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying that known current exploits are not documented. Exploitation requires no authentication; an attacker can simply make an HTTP request to an endpoint that triggers the vulnerable function and retrieve the client_secret. Because the impact is the disclosure of payment credentials, any breach could lead to financial loss or regulatory penalties."}}}}, "created": "2026-01-16T13:41:30.724944+00:00", "updated": "2026-04-22T15:45:20.872261+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$membership_plugin_-_restrict_content", "wordpress", "wordpress$PRODUCT$wordpress"]}