REPORT / 01

Analysis Report · Folder Analysis cache/restrict-content_3.2.15 → cache/restrict-content_3.2.16 — CVE-2025-14000

Shared security patch analysis results

mode patchdiff ai claude_cli haiku
02 · Lifecycle actions cancel · resume · skip · regenerate
03 · Share this analysis copy link · embed report
03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14000 NVD
AI-Generated Analysis
05 · Findings filter · search · paginate
Use quotes for exact: "SQL injection" · Operators: hello AND bye, admin OR root, -error, NOT warning
Showing 0 to 0 of 0 results
core/includes/member-forms.php AI: 1 vulnerabilities 1 true positive CVE-2025-14000 
--- cache/restrict-content_3.2.15/core/includes/member-forms.php	2025-12-24 00:34:15.059560784 +0000+++ cache/restrict-content_3.2.16/core/includes/member-forms.php	2025-12-24 00:34:35.152804364 +0000@@ -123,7 +123,7 @@  		} else { -			echo $rcp_register_form_atts['registered_message'];+			echo wp_kses_post( $rcp_register_form_atts['registered_message'] );  		} @@ -179,4 +179,4 @@ 		</p> 	<?php endif; }-add_action( 'rcp_before_registration_submit_field', 'rcp_add_auto_renew' );\ No newline at end of file+add_action( 'rcp_before_registration_submit_field', 'rcp_add_auto_renew' );
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - core/includes/member-forms.php line 126
[Old Code]
echo $rcp_register_form_atts['registered_message'];

[Fixed Code]
echo wp_kses_post( $rcp_register_form_atts['registered_message'] );

Explanation:
The old code directly echoed user-controlled data (`$rcp_register_form_atts['registered_message']`) without sanitization, creating a Stored XSS vulnerability. An attacker could inject malicious JavaScript code into the registered message that would execute in the browsers of users viewing the form. The fix applies `wp_kses_post()`, a WordPress sanitization function that strips dangerous HTML and JavaScript while allowing safe post content (like `<p>`, `<strong>`, etc.), preventing the XSS attack.
CVE Analysis Results:
CVE-2025-14000: Yes
View CVE Description 
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
core/includes/shortcodes.php AI: No vulnerabilities CVE-2025-14000 
--- cache/restrict-content_3.2.15/core/includes/shortcodes.php	2025-12-24 00:34:15.087562517 +0000+++ cache/restrict-content_3.2.16/core/includes/shortcodes.php	2025-12-24 00:34:35.172805601 +0000@@ -37,6 +37,10 @@ 		'restrict' 	); +	$atts['userlevel']    = sanitize_text_field( $atts['userlevel'] );+	$atts['subscription'] = sanitize_text_field( $atts['subscription'] );+	$atts['message']      = wp_kses_post( $atts['message'] );+ 	global $rcp_options, $user_ID;  	if ( strlen( $atts['message'] ) > 0 ) {@@ -355,6 +359,11 @@ 		'register_form' 	); +	$atts['id']                 = isset( $atts['id'] ) ? absint( $atts['id'] ) : null;+	$atts['ids']                = isset( $atts['ids'] ) ? implode( ',', array_filter( array_map( 'absint', array_map( 'trim', explode( ',', $atts['ids'] ) ) ) ) ) : null;+	$atts['logged_out_header']  = wp_kses_post( $atts['logged_out_header'] );+	$atts['logged_in_header']   = wp_kses_post( $atts['logged_in_header'] );+ 	global $user_ID;  	/*@@ -376,7 +385,7 @@ 		$output = rcp_registration_form_fields( $atts['id'], $atts );  	} else {-		$output = $atts['registered_message'];+		$output = wp_kses_post( $atts['registered_message'] ); 	} 	return $output; }@@ -492,7 +501,7 @@ 		$stripe_gateway = new RCP_Payment_Gateway_Stripe(); 		$stripe_gateway->scripts(); 		?>-		<div class="rcp-stripe-register" +		<div class="rcp-stripe-register" 		<?php 		foreach ( $data as $label => $value ) { 			printf( ' %s="%s" ', esc_attr( sanitize_html_class( $label ) ), esc_attr( $value ) ); }
AI Analysis
# Security Analysis of Code Diff

## Vulnerability 1: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Vulnerability Existed:** yes

**Stored XSS - CWE-79** - core/includes/shortcodes.php - Lines 40-42

**Old Code:**
```php
// No sanitization of $atts['userlevel'], $atts['subscription'], or $atts['message']
```

**Fixed Code:**
```php
$atts['userlevel']    = sanitize_text_field( $atts['userlevel'] );
$atts['subscription'] = sanitize_text_field( $atts['subscription'] );
$atts['message']      = wp_kses_post( $atts['message'] );
```

**Explanation:**
The shortcode attributes were not being sanitized before use. The `userlevel` and `subscription` attributes are sanitized with `sanitize_text_field()`, and `message` is sanitized with `wp_kses_post()`. This prevents malicious JavaScript from being injected through shortcode attributes in post content.

---

## Vulnerability 2: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Vulnerability Existed:** yes

**Stored XSS - CWE-79** - core/includes/shortcodes.php - Lines 362-365

**Old Code:**
```php
// No sanitization or validation of id, ids, logged_out_header, logged_in_header
```

**Fixed Code:**
```php
$atts['id']                 = isset( $atts['id'] ) ? absint( $atts['id'] ) : null;
$atts['ids']                = isset( $atts['ids'] ) ? implode( ',', array_filter( array_map( 'absint', array_map( 'trim', explode( ',', $atts['ids'] ) ) ) ) ) : null;
$atts['logged_out_header']  = wp_kses_post( $atts['logged_out_header'] );
$atts['logged_in_header']   = wp_kses_post( $atts['logged_in_header'] );
```

**Explanation:**
Shortcode attributes were not being validated. The `id` attribute is now converted to an integer with `absint()`, `ids` is sanitized by converting comma-separated values to integers, and header attributes are sanitized with `wp_kses_post()`. This prevents XSS attacks through these attributes.

---

## Vulnerability 3: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Vulnerability Existed:** yes

**Stored XSS - CWE-79** - core/includes/shortcodes.php - Line 388

**Old Code:**
```php
$output = $atts['registered_message'];
```

**Fixed Code:**
```php
$output = wp_kses_post( $atts['registered_message'] );
```

**Explanation:**
The `registered_message` attribute was being output without sanitization. Adding `wp_kses_post()` prevents XSS by allowing only safe HTML tags while removing potentially dangerous content.

---

## Note on Line 504

**Vulnerability Existed:** no

**Formatting Fix** - core/includes/shortcodes.php - Line 504

**Old Code:**
```php
<div class="rcp-stripe-register" 
```

**Fixed Code:**
```php
<div class="rcp-stripe-register"
```

**Explanation:**
This change removes trailing whitespace and is a formatting/style fix with no security implications.
CVE Analysis Results:
CVE-2025-14000: Yes
View CVE Description 
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Showing 1 to 2 of 2 results