Shared security patch analysis results
AI Used: claude_cli haiku--- cache/restrict-content_3.2.16/core/includes/class-restrict-content.php 2026-01-16 00:20:03.891873765 +0000+++ cache/restrict-content_3.2.17/core/includes/class-restrict-content.php 2026-01-16 00:20:23.881129054 +0000@@ -26,7 +26,7 @@ * @since 3.0 */ final class Restrict_Content_Pro {- const VERSION = '3.5.48';+ const VERSION = '3.5.49'; /** * Stores the base slug for the extension.
I'll analyze the provided code diff for security vulnerabilities. Looking at the diff: **File:** core/includes/class-restrict-content.php **Lines:** 29 **Analysis:** Vulnerability Existed: no **Explanation:** This diff only contains a version number update from '3.5.48' to '3.5.49' in a class constant definition. There are no security-relevant code changes, no input handling modifications, no authentication/authorization logic changes, and no removal or addition of security controls. This is a routine version bump that carries no security implications.
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
--- cache/restrict-content_3.2.16/core/includes/gateways/stripe/functions.php 2026-01-16 00:20:03.907874770 +0000+++ cache/restrict-content_3.2.17/core/includes/gateways/stripe/functions.php 2026-01-16 00:20:24.241151656 +0000@@ -148,6 +148,7 @@ 'confirm_delete_card' => esc_html__( 'Are you sure you want to delete this payment method?', 'rcp' ), 'enter_card_name' => __( 'Please enter a card holder name', 'rcp' ), 'pleasewait' => __( 'Please Wait . . . ', 'rcp' ),+ 'nonce' => wp_create_nonce( 'rcp_stripe_create_setup_intent_for_saved_card' ), ) ); try {@@ -846,6 +847,12 @@ * @return void */ function rcp_stripe_create_setup_intent_for_saved_card() {+ check_ajax_referer( 'rcp_stripe_create_setup_intent_for_saved_card', 'nonce' );++ // Check if the user is at least a registered user.+ if ( ! current_user_can( 'read' ) ) {+ wp_send_json_error( __( 'You are not authorized to perform this action.', 'rcp' ) );+ } global $rcp_options;
Vulnerability Existed: no
Cross-Site Request Forgery (CSRF) - CWE-352 - core/includes/gateways/stripe/functions.php - Lines 151, 850
Old Code:
```php
// Line 148-150 (old):
'confirm_delete_card' => esc_html__( 'Are you sure you want to delete this payment method?', 'rcp' ),
'enter_card_name' => __( 'Please enter a card holder name', 'rcp' ),
'pleasewait' => __( 'Please Wait . . . ', 'rcp' ),
// Line 849 (old):
function rcp_stripe_create_setup_intent_for_saved_card() {
```
Fixed Code:
```php
// Line 148-151 (new):
'confirm_delete_card' => esc_html__( 'Are you sure you want to delete this payment method?', 'rcp' ),
'enter_card_name' => __( 'Please enter a card holder name', 'rcp' ),
'pleasewait' => __( 'Please Wait . . . ', 'rcp' ),
'nonce' => wp_create_nonce( 'rcp_stripe_create_setup_intent_for_saved_card' ),
// Line 849-854 (new):
function rcp_stripe_create_setup_intent_for_saved_card() {
check_ajax_referer( 'rcp_stripe_create_setup_intent_for_saved_card', 'nonce' );
// Check if the user is at least a registered user.
if ( ! current_user_can( 'read' ) ) {
wp_send_json_error( __( 'You are not authorized to perform this action.', 'rcp' ) );
}
```
Explanation:
A CSRF vulnerability existed in the `rcp_stripe_create_setup_intent_for_saved_card()` AJAX function. The function lacked nonce verification and authorization checks, allowing an attacker to forge requests and manipulate a user's saved payment methods without their consent. The fix properly addresses this by:
1. **Adding nonce generation** (line 151): A WordPress nonce is created and passed to the client-side JavaScript as part of the localized script data.
2. **Adding nonce verification** (line 850): The `check_ajax_referer()` function validates the nonce before processing the request, ensuring the request originated from the legitimate application.
3. **Adding capability check** (lines 853-855): The function now verifies the user has the 'read' capability (indicating they are a registered user), preventing unauthorized access.
These changes successfully prevent CSRF attacks and unauthorized access to the payment method management functionality.
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
--- cache/restrict-content_3.2.16/legacy/restrictcontent.php 2026-01-16 00:20:04.019881806 +0000+++ cache/restrict-content_3.2.17/legacy/restrictcontent.php 2026-01-16 00:20:25.193211424 +0000@@ -21,7 +21,7 @@ } if ( ! defined( 'RC_PLUGIN_VERSION' ) ) {- define( 'RC_PLUGIN_VERSION', '3.2.16' );+ define( 'RC_PLUGIN_VERSION', '3.2.17' ); } if ( ! defined( 'RC_PLUGIN_DIR' ) ) {
Vulnerability Existed: no [No Security Vulnerability] - [N/A] - [legacy/restrictcontent.php] [Lines 24] Old Code: ```php define( 'RC_PLUGIN_VERSION', '3.2.16' ); ``` Fixed Code: ```php define( 'RC_PLUGIN_VERSION', '3.2.17' ); ``` Explanation: This diff shows a simple version number update from '3.2.16' to '3.2.17'. This is a routine version bump with no security implications. The change does not involve any modifications to code logic, input handling, authentication, authorization, data validation, or any other security-sensitive functionality. It is purely a constant definition update for tracking the plugin version.
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
--- cache/restrict-content_3.2.16/restrictcontent.php 2026-01-16 00:20:04.023882058 +0000+++ cache/restrict-content_3.2.17/restrictcontent.php 2026-01-16 00:20:25.197211675 +0000@@ -3,7 +3,7 @@ * Plugin Name: Restrict Content * Plugin URI: https://restrictcontentpro.com * Description: Set up a complete membership system for your WordPress site and deliver premium content to your members. Unlimited membership packages, membership management, discount codes, registration / login forms, and more.- * Version: 3.2.16+ * Version: 3.2.17 * Author: StellarWP * Author URI: https://stellarwp.com/ * Requires at least: 6.0@@ -18,7 +18,7 @@ define('RCP_PLUGIN_FILE', __FILE__); define('RCP_ROOT', plugin_dir_path(__FILE__)); define('RCP_WEB_ROOT', plugin_dir_url(__FILE__));-define('RCF_VERSION', '3.2.16');+define('RCF_VERSION', '3.2.17'); // Load Strauss autoload. require_once plugin_dir_path( __FILE__ ) . 'vendor/strauss/autoload.php';
``` Vulnerability Existed: no No security vulnerabilities detected in this diff. Explanation: This diff only updates version numbers in the plugin header and a version constant from 3.2.16 to 3.2.17. These are metadata changes with no code logic modifications. Version number updates do not introduce or fix security vulnerabilities - they are purely informational changes that track the release version of the plugin. ```
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.