– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14844:
This vulnerability is an Insecure Direct Object Reference (IDOR) and information exposure flaw in the Restrict Content WordPress plugin. The issue resides in the Stripe payment gateway functionality, allowing unauthenticated attackers to retrieve sensitive Stripe SetupIntent client secrets for any membership. The CVSS score of 8.2 reflects the high severity of this authentication bypass.

The root cause is the `rcp_stripe_create_setup_intent_for_saved_card` function in `/restrict-content/core/includes/gateways/stripe/functions.php`. The function lacked both a capability check to verify user authentication and a nonce verification to validate request intent. This allowed direct, unauthenticated access to the AJAX handler. The vulnerability was present because the function executed its logic without confirming the user had the ‘read’ capability or a valid nonce.

Exploitation involves sending a POST request to the WordPress admin AJAX endpoint, `/wp-admin/admin-ajax.php`. The attacker sets the `action` parameter to `rcp_stripe_create_setup_intent_for_saved_card`. No other specific parameters are required to trigger the leak, as the missing checks allow the function to proceed and return the Stripe SetupIntent data, which includes the sensitive `client_secret` value, for a membership context.

The patch adds two critical security controls. First, it introduces a nonce check via `check_ajax_referer(‘rcp_stripe_create_setup_intent_for_saved_card’, ‘nonce’)`. Second, it adds a capability check `if ( ! current_user_can( ‘read’ ) )` to ensure the requesting user is at least a registered subscriber. The nonce is also added to the localized script variables in the same file, ensuring legitimate front-end requests include it. These changes collectively enforce authentication and request validation.

Successful exploitation leads to the exposure of Stripe SetupIntent `client_secret` values. An attacker could use these secrets to manipulate payment processes, potentially link unauthorized payment methods to user accounts, or interfere with subscription flows. This constitutes a significant breach of payment integrity and user data confidentiality within the membership system.