Auth bypass in Stellarwp Membership Plugin – Restrict Content
CVE-2025-14844
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability c…
Vulnerability class: IDOR (Insecure Direct Object Reference)
EPSS: 0.001 (29.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.
Affected products
- Stellarwp Membership Plugin – Restrict Content — versions 0
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b…
- plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/g…
- plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/g…
- docs.stripe.com/api/setup_intents/object
- cwe.mitre.org/data/definitions/639.html
- plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/…
Frequently asked questions
- What is CVE-2025-14844?
- CVE-2025-14844 is a high-severity vulnerability in Stellarwp Membership Plugin – Restrict Content, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.2/10. Published 2026-01-16.
- How severe is CVE-2025-14844?
- High severity. CVSS v3 base score is 8.2 out of 10.