CVE-2025-14844 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-14844?

CVE-2025-14844 has a CVSS score of 8.2 (HIGH). This vulnerability allows unauthenticated attackers to access Stripe SetupIntent client_secret values for any membership in the Restrict Content WordPress plugin. Attackers can potentially intercept payment setup data, though they cannot directly access payment cards. All WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to access Stripe SetupIntent client_secret values for any membership in the Restrict Content WordPress plugin. Attackers can potentially intercept payment setup data, though they cannot directly access payment cards. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Membership Plugin – Restrict Content for WordPress

Versions: All versions up to and including 3.2.16

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and active with Stripe integration configured.

📦 What is this software?

Restrict Content by Liquidweb

View all CVEs affecting Restrict Content →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept payment setup flows, potentially redirecting payments or accessing sensitive Stripe transaction data for all memberships.

🟠

Likely Case

Attackers leak Stripe SetupIntent secrets, enabling them to monitor or interfere with payment setup processes for compromised memberships.

🟢

If Mitigated

With proper authentication checks, only authorized users can access SetupIntent data, limiting exposure to legitimate payment flows.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting requests to the vulnerable function without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.17

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Restrict Content' plugin. 4. Click 'Update Now' if available, or manually update to version 3.2.17+. 5. Verify plugin is active and functioning.

🔧 Temporary Workarounds

Disable vulnerable function via code modification

all

Add authentication checks to the rcp_stripe_create_setup_intent_for_saved_card function

Edit core/includes/gateways/stripe/functions.php lines 848-987 to add capability checks

🧯 If You Can't Patch

Temporarily disable the Restrict Content plugin if not essential
Implement web application firewall rules to block unauthenticated requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Restrict Content version ≤3.2.16

Check Version:

wp plugin list --name='restrict-content' --field=version

Verify Fix Applied:

Confirm plugin version is 3.2.17 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual unauthenticated POST requests to WordPress admin-ajax.php with 'rcp_stripe_create_setup_intent_for_saved_card' action

Network Indicators:

HTTP requests to /wp-admin/admin-ajax.php with action parameter containing 'rcp_stripe' from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "rcp_stripe_create_setup_intent_for_saved_card" AND (user="-" OR user="unauthenticated")

📊 Metadata

CVE ID: CVE-2025-14844

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-639

EPSS Score: 0.24% exploit probability (47.2th percentile)

Published: January 16, 2026

Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14844, you might also want to check these: