Popular WordPress Membership Plugin Exposes Stripe Secrets - Is Your Site Quietly At Risk?

A high severity vulnerability in the Membership Plugin - Restrict Content by StellarWP exposes sensitive Stripe configuration data on WordPress sites. A Wordfence advisory details the flaw in plugin versions up to 3.2.16, potentially affecting up to 10,000 websites using the plugin for paid memberships and restricted content.

Key details of the Membership Plugin vulnerability

Wordfence reported a missing authentication issue affecting how the plugin handles Stripe SetupIntent data. Key points include:

• Affected product: Membership Plugin - Restrict Content by StellarWP for WordPress.
• Purpose: controls access to paid or private content, including pages, posts, and other protected resources.
• Estimated reach: up to 10,000 websites use the plugin for membership and subscription functionality.
• Issue: missing authentication and capability checks in the rcp_stripe_create_setup_intent_for_saved_card function.
• Impact: unauthenticated attackers can request Stripe SetupIntent client_secret values linked to any membership record.
• Severity: Wordfence assigned a CVSS score of 8.2 and classified the flaw as high severity.

According to the Wordfence advisory, the function that handles Stripe SetupIntent data does not verify user capabilities before processing requests. The plugin also fails to validate a user-controlled key, which allows attackers to access sensitive data without having a WordPress account.

"The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the ‘rcp_stripe_create_setup_intent_for_saved_card’ function due to missing capability check.

Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."

Background on Membership Plugin and Stripe SetupIntent

The Membership Plugin - Restrict Content allows site owners to limit access based on login or payment status. Administrators can protect posts, pages, and other resources so only approved members can view specific material, defining what non-paying visitors can see on membership and subscription sites.

According to Stripe's Setup Intents documentation, the API sets up a payment method for future payments without immediately creating a charge. Each SetupIntent includes a client_secret that is used on the client side to complete payment-related actions and ensure payment credentials are correctly configured for later use.

"Use the Setup Intents API to set up a payment method for future payments. It’s similar to a payment, but no charge is created."

Stripe's Customer Sessions documentation further defines the client_secret parameter, which is used on the client to access a customer securely. Stripe notes that the client_secret should not be stored, logged, or exposed to anyone other than the relevant customer, and that any page including a client_secret must use TLS encryption.

"The client secret can be used to provide access to customer from your frontend. It should not be stored, logged, or exposed to anyone other than the relevant customer."

Affected versions, severity rating, and security update

Wordfence states that all Membership Plugin - Restrict Content versions up to and including 3.2.16 contain the vulnerability. Attackers do not need a WordPress login or user role to exploit the flaw. Wordfence rated the issue with a CVSS score of 8.2, categorized as high severity.

The plugin's developers have released version 3.2.17, which adds nonce and permission checks for adding Stripe payment methods. The official WordPress.org changelog lists this as a security fix in version 3.2.17, while version 3.2.16 is documented as improving escaping and sanitization for specific shortcode attributes.

Details of the vulnerability and its remediation are documented in the Wordfence advisory. Stripe's Setup Intents documentation and Customer Sessions documentation outline the handling requirements for client_secret values referenced in the advisory. Site owners using the Membership Plugin - Restrict Content should update to version 3.2.17 or later as soon as possible.