CVE-2025-14844 in Membership Plugin Plugin
Summary
by MITRE • 01/16/2026
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/24/2026
The membership plugin restrict content for wordpress presents a critical security vulnerability that affects all versions up to and including 3216. This flaw resides within the rcp_stripe_create_setup_intent_for_saved_card function where the plugin fails to perform proper authentication checks. The vulnerability stems from a missing capability check that allows unauthorized users to exploit the functionality without proper authorization. The absence of authentication validation creates a pathway for malicious actors to manipulate the plugin's stripe integration capabilities. This issue is particularly concerning because it directly impacts the payment processing infrastructure that many wordpress sites rely upon for membership management and subscription services.
The technical implementation of this vulnerability demonstrates a fundamental flaw in access control mechanisms within the plugin's codebase. The plugin does not validate whether the requesting user possesses the necessary permissions to perform stripe setup intent operations. Furthermore, the vulnerability extends beyond simple authentication bypass as the plugin fails to validate user-controlled input parameters. This lack of input sanitization enables attackers to manipulate the system and extract sensitive information. The vulnerability is classified as a missing authentication issue that aligns with common weakness enumeration cwe-284 which addresses improper access control. The flaw creates an environment where unauthenticated attackers can leverage the system's functionality to gather confidential data.
The operational impact of this vulnerability is severe for wordpress sites utilizing the affected plugin. Attackers can exploit this weakness to obtain stripe setupintent client_secret values that are typically protected and should only be accessible to authorized users. These client_secret values contain sensitive cryptographic information that could potentially be used to compromise payment transactions or access other systems. The vulnerability affects all membership levels and user types within the plugin's scope, making it particularly dangerous for sites with multiple user roles and complex membership structures. The leak of client_secret values could enable attackers to perform unauthorized transactions or gain deeper access to the payment processing infrastructure.
Security practitioners should implement immediate mitigations to address this vulnerability. The most effective approach involves applying the latest plugin updates that include proper capability checks and input validation. Organizations should also consider implementing network-level monitoring to detect suspicious access patterns related to stripe integration functions. Additional protective measures include restricting access to the affected plugin endpoints through firewall rules or web application firewalls. The vulnerability demonstrates the importance of proper authentication mechanisms as outlined in the mitre attack framework where such weaknesses often serve as initial access vectors. Regular security audits of wordpress plugins should include verification of authentication checks and input validation routines to prevent similar issues. Organizations using this plugin should also review their stripe integration configurations and implement additional logging to track access to sensitive payment functions. The vulnerability serves as a reminder of the critical need for proper capability checks in web applications and the potential consequences of neglecting authentication validation in payment processing systems.