A significant security vulnerability has been identified in the Membership Plugin by StellarWP for WordPress, potentially exposing sensitive Stripe payment setup data. This high-severity flaw, rated 8.2 on the CVSS scale, allows unauthenticated attackers to access critical information, affecting an estimated 10,000 websites utilizing the plugin. Site owners are urged to update immediately to patch the vulnerability.
Understanding the Membership Plugin by StellarWP
The Membership Plugin — Restrict Content by StellarWP is a widely used tool for WordPress sites designed to manage paid and private content. It enables website administrators to restrict access to specific pages, posts, or other resources, ensuring only logged-in users or paying members can view them. This plugin is a common choice for membership and subscription-based websites looking to monetize their content.
Vulnerability Allows Unauthenticated Attacks
According to an advisory from Wordfence, the vulnerability can be exploited by attackers without requiring any login credentials or a WordPress user account. This means user permission roles do not mitigate the risk, making the flaw particularly dangerous due to its ease of exploitation.
The Nature of the Vulnerability: Exposed Stripe Data
The core of the issue lies in missing security checks related to Stripe payment handling within the plugin. Specifically, the plugin failed to adequately protect Stripe SetupIntent data.
A Stripe SetupIntent is a crucial component used during the checkout process to collect and securely save a customer’s payment method for future transactions. Each SetupIntent includes a client_secret value, which is intended to be shared only during a secure checkout or account setup flow.
The official Wordfence advisory explains:
"The Membership Plugin — Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the ‘rcp_stripe_create_setup_intent_for_saved_card’ function due to missing capability check.
Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."
Stripe's official documentation emphasizes that the Setup Intents API is used to configure a payment method for future charges without creating an immediate payment. While similar to a payment, its primary goal is to optimize and save payment credentials for future use. Stripe explicitly states that client_secret values should never be stored, logged, or exposed to anyone other than the intended customer.
Stripe's documentation clarifies the purpose of the Setup Intents API:
"Use the Setup Intents API to set up a payment method for future payments. It’s similar to a payment, but no charge is created.
The goal is to have payment credentials saved and optimized for future payments, meaning the payment method is configured correctly for any scenario. When setting up a card, for example, it may be necessary to authenticate the customer or check the card’s validity with the customer’s bank. Stripe updates the SetupIntent object throughout that process."
The client_secret is designed for client-side use to complete payment-related actions and must be securely passed from the server to the browser. Its exposure, due to the plugin's inadequate protections, means that Stripe payment setup data associated with memberships could be accessed beyond its intended secure scope.
Stripe's documentation on the
client_secretvalue states:"client_secret
The client secret of this Customer Session. Used on the client to set up secure access to the given customer.The client secret can be used to provide access to customer from your frontend. It should not be stored, logged, or exposed to anyone other than the relevant customer. Make sure that you have TLS enabled on any page that includes the client secret."
Affected Versions and Patch Availability
The vulnerability impacts all versions of the Membership Plugin — Restrict Content up to and including version 3.2.16. The CVSS score of 8.2 underscores the severity, highlighting both the sensitive nature of the exposed data and the critical fact that no authentication is required for exploitation. This score signifies a high-severity vulnerability that can be exploited remotely without special access, making timely updates paramount for sites relying on the plugin for membership or restricted content management.
A patch addressing this issue has been released in version 3.2.17 of the plugin. This update introduces crucial missing nonce and permission checks related to Stripe payment handling, effectively closing the loophole that allowed SetupIntent client_secret values to be exposed. A nonce (number used once) is a temporary security token that helps ensure a specific action on a WordPress website was intentionally requested by a legitimate user, not a malicious attacker.
The official Membership Plugin changelog responsibly details the updates:
"3.2.17
Security: Added nonce and permission checks for adding Stripe payment methods.
3.2.16
Security: Improved escaping and sanitization for [restrict] and [register_form] shortcode attributes."
What Site Owners Should Do
All WordPress sites currently using the Membership Plugin — Restrict Content are strongly advised to update to version 3.2.17 or newer immediately. Failure to update will leave sensitive Stripe SetupIntent client_secret data vulnerable to unauthenticated attackers, potentially compromising user payment information and site security.
