📄 Description (English)
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
🤖 AI Executive Summary
The Membership Plugin – Restrict Content for WordPress (versions up to 3.2.16) contains a critical authentication bypass vulnerability allowing unauthenticated attackers to leak Stripe SetupIntent client_secret values. This vulnerability enables unauthorized access to sensitive payment processing information without proper capability checks. The lack of authentication controls combined with missing validation of user-controlled keys creates a direct pathway for attackers to compromise payment data and membership systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 20:19
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations utilizing WordPress-based membership and subscription platforms, particularly in banking and fintech sectors relying on Stripe integration. Financial institutions, healthcare providers offering membership services, e-commerce platforms, and educational institutions managing paid content are at high risk. The exposure of Stripe SetupIntent secrets could lead to unauthorized payment processing, fraudulent transactions, and compromise of customer financial data—directly impacting SAMA-regulated entities and organizations subject to NCA cybersecurity requirements. Saudi government agencies and enterprises using this plugin for restricted content delivery face potential data breach and compliance violations.
🏢 Affected Saudi Sectors
Banking and Financial Services
E-commerce and Retail
Healthcare and Medical Services
Education and Online Learning
Government and Public Sector
Telecommunications
Media and Publishing
SaaS and Cloud Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using Membership Plugin – Restrict Content plugin
2. Disable the plugin immediately if version 3.2.16 or earlier is detected
3. Review Stripe account activity logs for suspicious SetupIntent creation or access patterns
4. Notify affected users of potential exposure to Stripe payment secrets
PATCHING:
1. Update plugin to version 3.2.17 or later immediately
2. Verify patch application by checking plugin version in WordPress admin dashboard
3. Test Stripe integration functionality post-update
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block requests to 'rcp_stripe_create_setup_intent_for_saved_card' function
2. Restrict access to WordPress admin and plugin directories via IP whitelisting
3. Implement rate limiting on Stripe API endpoints
4. Monitor and log all Stripe API calls for anomalies
DETECTION:
1. Monitor WordPress logs for POST requests to wp-admin/admin-ajax.php with action=rcp_stripe_create_setup_intent_for_saved_card
2. Alert on any SetupIntent creation from unauthenticated sessions
3. Review Stripe webhook logs for unexpected SetupIntent events
4. Implement IDS/IPS signatures for CVE-2025-14844 exploitation attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Membership Plugin – Restrict Content
2. تعطيل المكون فوراً إذا تم اكتشاف الإصدار 3.2.16 أو الإصدارات الأقدم
3. مراجعة سجلات نشاط حساب Stripe للبحث عن أنماط إنشاء أو وصول SetupIntent المريبة
4. إخطار المستخدمين المتأثرين بالتعرض المحتمل لأسرار الدفع في Stripe
التصحيح:
1. تحديث المكون إلى الإصدار 3.2.17 أو أحدث فوراً
2. التحقق من تطبيق التصحيح بفحص إصدار المكون في لوحة تحكم WordPress
3. اختبار وظيفة تكامل Stripe بعد التحديث
عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى دالة 'rcp_stripe_create_setup_intent_for_saved_card'
2. تقييد الوصول إلى مجلدات WordPress admin والمكونات الإضافية عبر القائمة البيضاء للعناوين
3. تنفيذ تحديد معدل على نقاط نهاية Stripe API
4. مراقبة وتسجيل جميع استدعاءات Stripe API للكشف عن الشذوذ
الكشف:
1. مراقبة سجلات WordPress للطلبات POST إلى wp-admin/admin-ajax.php مع action=rcp_stripe_create_setup_intent_for_saved_card
2. التنبيه على أي إنشاء SetupIntent من جلسات غير مصرح بها
3. مراجعة سجلات Stripe webhook للأحداث SetupIntent غير المتوقعة
4. تنفيذ توقيعات IDS/IPS لمحاولات استغلال CVE-2025-14844
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1 - Access Control and Authentication
5.2 - User Access Management
6.1 - Cryptography and Data Protection
7.1 - Security Event Logging and Monitoring
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control
PR.AC-2 - Physical and Logical Access Control
DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.9.2.1 - User registration and de-registration
A.9.4.3 - Password management
A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 8 - Identify and authenticate access to system components
🔗 References & Sources 6
🔗
https://cwe.mitre.org/data/definitions/639.html
security@wordfence.com
Technical Description
🔗
https://docs.stripe.com/api/setup_intents/object
security@wordfence.com
Product
🔗
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/g...
security@wordfence.com
Product
🔗
https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/g...
security@wordfence.com
Product
🔗
https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/...
security@wordfence.com
Patch
🔗
https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b...
security@wordfence.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
liquidweb:restrict_content