Membership Plugin – Restrict Content < 3.2.17 – Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure | CVE 2025-14844 | Plugin Vulnerabilities

Description

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.

Affects Plugins

restrict-content

Fixed in 3.2.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

andrea bocchetti

Verified

No

WPVDB ID

e79f2e42-3908-410b-8270-df4ed493ee23

Timeline

Publicly Published

2026-01-15 (about 3 months ago)

Added

2026-01-15 (about 3 months ago)

Last Updated

2026-01-16 (about 3 months ago)

Other

Published

Title

Published

2025-03-19

Title

NP Quote Request for WooCommerce < 1.9.180 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure

Published

2026-01-02

Title

Innovio <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-04-05

Title

ProfileGrid < 5.7.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2026-04-15

Title

Payment Gateway for Redsys & WooCommerce Lite < 7.0.1 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation

Published

2024-03-29

Title

Thumbs Rating <= 5.1.0 - Unauthenticated Insecure Direct Object Reference