An advisory was published about a vulnerability discovered in the Membership Plugin By StellarWP which exposes sensitive Stripe payment setup data on WordPress sites using the plugin. The flaw enables unauthenticated attackers to launch attacks and is rated 8.2 (High).
Membership Plugin By StellarWP
The Membership Plugin – Restrict Content By StellarWP is used by WordPress sites to manage paid and private content. It enables site owners to restrict access to pages, posts, or other resources so that only logged-in users or paying members can view them and manage what non-paying site visitors can see. The plugin is commonly deployed on membership and subscription-based sites.
Vulnerable to Unauthenticated Attackers
The Wordfence advisory states that the vulnerability can be exploited by unauthenticated attackers, meaning no login or WordPress user account is required to launch an attack. User permission roles do not factor into whether the issue can be triggered, and that’s what makes this particular vulnerability more dangerous because it’s easier to trigger.
What the Vulnerability Is
The issue stems from missing security checks related to Stripe payment handling. Specifically, the plugin failed to properly protect Stripe SetupIntent data.
A Stripe SetupIntent is used during checkout to collect and save a customer’s payment method for future use. Each SetupIntent includes a client_secret value that is intended to be shared during a checkout or account setup flow.
The official Wordfence advisory explains:
“The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the ‘rcp_stripe_create_setup_intent_for_saved_card’ function due to missing capability check.
Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.”
According to Stripe’s official documentation, the Setup Intents API is used to set up a payment method for future charges without creating an immediate payment. A SetupIntent includes a client_secret. Stripe’s documentation states that client_secret values should not be stored, logged, or exposed to anyone other than the intended customer.
This is how Stripe’s documentation explains what the purpose is for the Setup Intents API:
“Use the Setup Intents API to set up a payment method for future payments. It’s similar to a payment, but no charge is created.
The goal is to have payment credentials saved and optimized for future payments, meaning the payment method is configured correctly for any scenario. When setting up a card, for example, it may be necessary to authenticate the customer or check the card’s validity with the customer’s bank. Stripe updates the SetupIntent object throughout that process.”
Stripe documentation also explains that client_secret values are used client-side to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
