Membership Plugin Restrict Content Missing Authentication Insecure Direct Object Reference Vulnerability

A vulnerability exists in the Membership Plugin - Restrict Content for WordPress, in all versions up to and including 3.2.16. The issue arises from the 'rcp_stripe_create_setup_intent_for_saved_card' function, which lacks proper authentication checks. This oversight allows unauthenticated attackers to exploit an Insecure Direct Object Reference (IDOR) by manipulating user-controlled keys to access sensitive information, specifically leaking Stripe SetupIntent client_secret values for any membership.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, specifically Stripe client_secret values, which could be misused to manipulate payment methods or access control features within the WordPress site.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the WordPress site with a manipulated key value that corresponds to a membership's Stripe SetupIntent. The request will bypass authentication checks and expose the client_secret value, which can then be used to access or modify payment information related to that membership.

Remediation

Users are advised to update the Membership Plugin - Restrict Content to version 3.2.17 or later, where this vulnerability has been patched.