Cyber Resilience

CVE-2025-14844

High

Published: 16 January 2026

Published
16 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0042 33.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14844 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Liquidweb Restrict Content. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-14844 is a missing authentication vulnerability (CWE-639) in the Membership Plugin – Restrict Content for WordPress, affecting all versions up to and including 3.2.16. The issue resides in the 'rcp_stripe_create_setup_intent_for_saved_card' function within the plugin's Stripe gateway integration at core/includes/gateways/stripe/functions.php. Due to a missing capability check and failure to validate a user-controlled key, the function exposes sensitive Stripe SetupIntent client_secret values.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, per its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Exploitation allows remote attackers to leak Stripe SetupIntent client_secret values for any membership, granting high confidentiality impact and limited integrity impact by compromising payment setup intents without affecting availability.

Mitigation is available in version 3.2.17 of the plugin, as detailed in WordPress plugin repository changeset 3438168, which addresses the flaws in core/includes/gateways/stripe/functions.php. Practitioners should urge site administrators to update immediately, verify Stripe configurations, and monitor for unauthorized SetupIntent access using Stripe's API documentation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key,…

more

which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authentication issue in a public-facing WordPress plugin, allowing unauthenticated remote exploitation to leak sensitive Stripe client_secret values, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-11090Same product: Liquidweb Restrict Content
CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639

Affected Assets

liquidweb
restrict content
≤ 3.2.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allowed unauthenticated access to the Stripe function.

prevent

Identifies and authorizes only non-sensitive actions without identification or authentication, preventing exposure of Stripe SetupIntent client secrets via unauthenticated endpoints.

prevent

Requires validation of information inputs, mitigating the failure to check the user-controlled key that enabled leaking secrets for any membership.

References