Missing Authentication Vulnerability in Membership Plugin – Restrict Content for WordPress
CVE-2025-14844

8.2HIGH

Key Information:

Vendor

WordPress
Status
Membership Plugin – Restrict Content
Vendor
CVE Published:
16 January 2026

What is CVE-2025-14844?

The Membership Plugin – Restrict Content for WordPress has a vulnerability that allows unauthorized users to access sensitive client_secret values from Stripe SetupIntents. This exploit arises from the absence of a capability check in the 'rcp_stripe_create_setup_intent_for_saved_card' function, coupled with the failure to validate a user-controlled key. Consequently, unauthenticated attackers have the potential to leak sensitive membership-related data, presenting a serious risk for all installations of the plugin up to version 3.2.16.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Membership Plugin – Restrict Content * <= 3.2.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/restrict-conte...
https://plugins.trac.wordpress.org/browser/restrict-conte...

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
JSON
.