Introduction to the Vulnerability
A recent advisory has been published regarding a vulnerability in the Membership Plugin By StellarWP, which exposes sensitive Stripe payment setup data on WordPress sites using the plugin. This flaw allows unauthenticated attackers to launch attacks and has been rated 8.2, indicating a high level of severity.
What is the Membership Plugin By StellarWP?
The Membership Plugin – Restrict Content By StellarWP is a tool used by WordPress sites to manage paid and private content. It enables site owners to restrict access to pages, posts, or other resources, allowing only logged-in users or paying members to view them. This plugin is commonly used on membership and subscription-based sites.
Vulnerability to Unauthenticated Attackers
The Wordfence advisory states that the vulnerability can be exploited by unauthenticated attackers, meaning no login or WordPress user account is required to launch an attack. User permission roles do not factor into whether the issue can be triggered, making this vulnerability more dangerous because it’s easier to trigger.
The Vulnerability Explained
The issue stems from missing security checks related to Stripe payment handling. Specifically, the plugin failed to properly protect Stripe SetupIntent data. A Stripe SetupIntent is used during checkout to collect and save a customer’s payment method for future use. Each SetupIntent includes a client_secret value that is intended to be shared during a checkout or account setup flow.
Stripe SetupIntent and Client_Secret
According to Stripe’s official documentation, the Setup Intents API is used to set up a payment method for future charges without creating an immediate payment. A SetupIntent includes a client_secret, which should not be stored, logged, or exposed to anyone other than the intended customer. The client_secret value is used client-side to complete payment-related actions and should be passed securely from the server to the browser.
Affected Versions and Severity
The vulnerability affects all versions of the plugin up to and including version 3.2.16. Wordfence assigned the issue a CVSS score of 8.2, reflecting the sensitivity of the exposed data and the fact that no authentication is required to trigger the issue. This score indicates a high-severity vulnerability that can be exploited remotely without special access.
Patch Availability and Solution
The plugin has been updated with a patch and is available now. The issue was fixed in version 3.2.17 of the plugin, which adds missing nonce and permission checks related to Stripe payment handling. A nonce is a temporary security token that ensures a specific action on a WordPress website was intentionally requested by the user and not by a malicious attacker. Site owners should update to version 3.2.17 or newer to protect their sites.
What Site Owners Should Do
Sites using the Membership Plugin – Restrict Content should update to version 3.2.17 or newer. Failure to update the plugin will leave the Stripe SetupIntent client_secret data exposed to unauthenticated attackers. It is essential to take immediate action to protect sensitive payment information and prevent potential attacks.
Conclusion
In conclusion, the vulnerability in the Membership Plugin By StellarWP poses a significant risk to WordPress sites using the plugin. The exposure of sensitive Stripe payment setup data can have severe consequences, including unauthorized access to payment information. By updating to version 3.2.17 or newer, site owners can ensure the security of their sites and protect their users’ sensitive information. It is crucial to prioritize website security and take prompt action to address vulnerabilities to prevent potential attacks and maintain the trust of users.