According to Roger Montti’s article on Search Engine Journal, “WordPress Membership Plugin Flaw Exposes Sensitive Stripe Data,” a high-severity security vulnerability has been identified in the Membership Plugin – Restrict Content by StellarWP, potentially exposing sensitive Stripe payment setup data on as many as 10,000 WordPress websites.
Vulnerability Overview
Montti explains that the vulnerability is grave because it can be exploited by unauthenticated attackers, meaning no WordPress account or user privileges are required. Wordfence rated the issue 8.2 (High) on the CVSS scale, reflecting both the sensitivity of the exposed data and the ease of exploitation.
The affected plugin is commonly used on membership and subscription-based WordPress sites to restrict access to paid or private content.
What Data Was Exposed
The flaw involves improper protection of Stripe SetupIntent data, specifically the client_secret value. Stripe SetupIntents are used to securely collect and store a customer’s payment method for future charges. Stripe explicitly warns that client_secret values must not be logged, stored, or exposed beyond the intended customer.
According to Montti, the plugin failed to enforce authentication and capability checks on a Stripe-related function, allowing attackers to retrieve SetupIntent client_secret values associated with memberships. This could enable payment setup information to be accessed outside of its intended checkout flow.
Affected Versions and Fix
The vulnerability affects all versions up to and including 3.2.16 of the plugin. It was resolved in version 3.2.17, which added missing nonce and permission checks to ensure Stripe payment handling is properly secured.
The plugin’s changelog confirms that the update addresses the security issue related to explicitly adding Stripe payment methods.
What Site Owners Should Do
Sites running the Membership Plugin: Restrict Content by StellarWP are strongly advised to update to version 3.2.17 or later immediately. Leaving the plugin unpatched could expose Stripe payment setup data to unauthenticated attackers, creating both security and compliance risks.
As Montti notes, this incident underscores the importance of robust authentication and data-handling controls, especially for WordPress plugins that interact directly with payment systems and handle sensitive customer information.