Cyber Posture

CVE-2025-14844

High

Published: 16 January 2026

Published
16 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0010 28.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key,…

more

which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allowed unauthenticated access to the Stripe function.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Identifies and authorizes only non-sensitive actions without identification or authentication, preventing exposure of Stripe SetupIntent client secrets via unauthenticated endpoints.

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs, mitigating the failure to check the user-controlled key that enabled leaking secrets for any membership.

Security SummaryAI

CVE-2025-14844 is a missing authentication vulnerability (CWE-639) in the Membership Plugin – Restrict Content for WordPress, affecting all versions up to and including 3.2.16. The issue resides in the 'rcp_stripe_create_setup_intent_for_saved_card' function within the plugin's Stripe gateway integration at core/includes/gateways/stripe/functions.php. Due to a missing capability check and failure to validate a user-controlled key, the function exposes sensitive Stripe SetupIntent client_secret values.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, per its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Exploitation allows remote attackers to leak Stripe SetupIntent client_secret values for any membership, granting high confidentiality impact and limited integrity impact by compromising payment setup intents without affecting availability.

Mitigation is available in version 3.2.17 of the plugin, as detailed in WordPress plugin repository changeset 3438168, which addresses the flaws in core/includes/gateways/stripe/functions.php. Practitioners should urge site administrators to update immediately, verify Stripe configurations, and monitor for unauthorized SetupIntent access using Stripe's API documentation.

Details

CWE(s)
CWE-639

Affected Products

liquidweb
restrict content
≤ 3.2.17

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a missing authentication issue in a public-facing WordPress plugin, allowing unauthenticated remote exploitation to leak sensitive Stripe client_secret values, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References