CVE-2025-13371
Unknown Unknown - Not Provided
Sensitive Data Exposure in MoneySpace WordPress Plugin

Publication date: 2026-01-07

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-08
Generated
2026-05-07
AI Q&A
2026-01-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13371
EUVD
EUVD-2026-1330
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
moneyspace moneyspace_plugin to 2.13.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The MoneySpace plugin for WordPress up to version 2.13.9 stores full payment card details (including PAN, cardholder name, expiry date, and CVV) encoded with base64 in WordPress post_meta. These details are then embedded into a publicly accessible page's inline JavaScript without any authentication or authorization. This allows unauthenticated attackers who know or can guess an order_id to access the page and retrieve full credit card information directly from the HTML/JavaScript response.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive payment card information, including full credit card numbers and CVV codes. Attackers can access this data without authentication, potentially leading to financial fraud, identity theft, and severe damage to customer trust and business reputation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability constitutes a severe PCI-DSS violation because it exposes full payment card data without proper protection. Such exposure can also lead to non-compliance with data protection regulations like GDPR, which require safeguarding personal data, and may result in legal and financial penalties.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by attempting to access the mspaylink endpoint with guessed or known order_id values and inspecting the HTML/JavaScript response for exposed base64-encoded payment card details. For example, using curl or wget commands to fetch the page and then searching for base64-encoded strings that decode to payment card information. Example command: curl -s 'https://yourwordpresssite.com/mspaylink?order_id=12345' | grep -Eo 'base64_encoded_string_pattern' and then decode the base64 strings to check for sensitive data. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling or removing the MoneySpace plugin until a secure version is available, restricting access to the mspaylink endpoint via authentication or IP whitelisting, and ensuring that no sensitive payment card data is stored in an unprotected manner. Additionally, review and remove any stored payment card details from the WordPress post_meta database to prevent further exposure. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart