CVE-2025-13371 - Vulnerability Details

- Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure

Description

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.

Published: 2026-01-07

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The MoneySpace plugin for WordPress stores complete payment card details—PAN, card holder name, expiry month/year, and CVV—in WordPress post_meta using base64_encode(), then embeds these values into the publicly accessible mspaylink page’s inline JavaScript without any authentication or authorization checks. This flaw, identified as CWE‑200 Sensitive Information Exposure, permits an unauthenticated attacker who knows or can guess an order_id to retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI‑DSS violation. The impact is a significant compromise of confidentiality and potential fraudulent exploitation of cardholder data.

Affected Systems

All installations of the MoneySpace plugin for WordPress with versions 2.13.9 or earlier are vulnerable. The affected product is identified as MoneySpace, and the vulnerability applies to every build up to and including 2.13.9.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as high severity, yet the EPSS score is less than 1 %, indicating a low exploitation probability at present. It is not listed in the CISA KEV catalog. An attacker can exploit the vulnerability by sending an unauthenticated request to the mspaylink endpoint with a valid or guessable order_id and parsing the inline JavaScript for the base64‑encoded card data. The attack requires no special privileges and can be automated once the target order_id space is enumerated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

moneyspace

Money Space

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.13.9

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the MoneySpace plugin to the latest available version that removes the data exposure flaw.
If immediate upgrade is not possible, restrict access to the mspaylink endpoint by enforcing authentication or role checks so that only authorized users can request order pages.
Remove stored payment card details from the WordPress post_meta database to eliminate any residual sensitive data.

Generated by OpenCVE AI on April 22, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00265.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164
https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232
https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232
https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426909%40money-space&new=3426909%40money-space&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426909%40money-space&new=3426909%40money-space&sfp_email=&sfph_mail=

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.
Title		Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure
Weaknesses		CWE-200
References		https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164 https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232 https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232 https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232 https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-07T06:36:02.802Z

Updated: 2026-04-08T17:01:46.647Z

Reserved: 2025-11-18T18:31:10.599Z

Link: CVE-2025-13371

Vulnrichment

Updated: 2026-01-07T14:51:50.811Z

NVD

Status : Deferred

Published: 2026-01-07T12:16:47.583

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13371

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:00:07Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object