CVE-2025-14844
Published: 16 January 2026
Summary
CVE-2025-14844 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Liquidweb Restrict Content. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allowed unauthenticated access to the Stripe function.
Identifies and authorizes only non-sensitive actions without identification or authentication, preventing exposure of Stripe SetupIntent client secrets via unauthenticated endpoints.
Requires validation of information inputs, mitigating the failure to check the user-controlled key that enabled leaking secrets for any membership.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authentication issue in a public-facing WordPress plugin, allowing unauthenticated remote exploitation to leak sensitive Stripe client_secret values, directly mapping to Exploit Public-Facing Application (T1190).
NVD Description
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key,…
more
which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
Deeper analysisAI
CVE-2025-14844 is a missing authentication vulnerability (CWE-639) in the Membership Plugin – Restrict Content for WordPress, affecting all versions up to and including 3.2.16. The issue resides in the 'rcp_stripe_create_setup_intent_for_saved_card' function within the plugin's Stripe gateway integration at core/includes/gateways/stripe/functions.php. Due to a missing capability check and failure to validate a user-controlled key, the function exposes sensitive Stripe SetupIntent client_secret values.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, per its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Exploitation allows remote attackers to leak Stripe SetupIntent client_secret values for any membership, granting high confidentiality impact and limited integrity impact by compromising payment setup intents without affecting availability.
Mitigation is available in version 3.2.17 of the plugin, as detailed in WordPress plugin repository changeset 3438168, which addresses the flaws in core/includes/gateways/stripe/functions.php. Practitioners should urge site administrators to update immediately, verify Stripe configurations, and monitor for unauthorized SetupIntent access using Stripe's API documentation.
Details
- CWE(s)