The MoneySpace plugin for WordPress, widely used for payment processing, suffers from a critical sensitive information exposure vulnerability identified as CVE-2025-13371. The root cause lies in the plugin's insecure handling of payment card data: it stores full card details—including the primary account number (PAN), cardholder name, expiration month and year, and CVV—in WordPress's post_meta table using base64 encoding, which offers no real security. Subsequently, these encoded details are embedded directly into the inline JavaScript of the publicly accessible mspaylink page without any authentication or authorization checks. This design flaw allows any unauthenticated attacker who can guess or obtain a valid order_id to access the mspaylink endpoint and retrieve sensitive payment card data from the HTML/JavaScript response. This exposure constitutes a severe violation of PCI-DSS requirements, which strictly prohibit storage or exposure of sensitive authentication data such as CVV codes. The vulnerability is remotely exploitable over the network without any user interaction or privileges, and it affects all versions of the plugin up to and including 2.13.9. Although no exploits have been reported in the wild yet, the high CVSS score of 8.6 reflects the critical confidentiality impact and ease of exploitation. The vulnerability's scope is broad because WordPress is a popular CMS in Europe, and MoneySpace is used by various e-commerce sites. The lack of integrity or availability impact does not diminish the severity of the data breach risk. This vulnerability demands urgent remediation to prevent unauthorized disclosure of payment card data.

For European organizations, this vulnerability poses a significant risk of payment card data breaches, leading to financial fraud, identity theft, and loss of customer trust. Exposure of full card details including CVV is a direct violation of PCI-DSS, potentially resulting in hefty fines, legal liabilities, and increased scrutiny from data protection authorities such as those enforcing GDPR. E-commerce businesses using the MoneySpace plugin may face operational disruptions, reputational damage, and mandatory breach notifications under European data protection laws. The ease of exploitation without authentication means attackers can systematically harvest card data by enumerating order_ids, amplifying the scale of potential compromise. Additionally, compromised payment data can facilitate further attacks such as phishing or account takeover. The vulnerability also undermines compliance with industry standards and could lead to suspension of payment processing capabilities by acquiring banks or payment processors. Overall, the threat is critical for any European entity handling card payments via the affected plugin.

1. Immediately audit all WordPress installations using the MoneySpace plugin and identify versions up to 2.13.9. 2. Remove or sanitize any stored payment card data from the WordPress post_meta database to eliminate residual sensitive information. 3. Restrict access to the mspaylink endpoint by implementing strong authentication and authorization controls, ensuring only legitimate users can access payment-related pages. 4. Avoid storing sensitive cardholder data such as CVV in any form; if storage is necessary, use strong encryption compliant with PCI-DSS standards and ensure data is never exposed in client-side code. 5. Update or patch the plugin once the vendor releases a secure version that addresses this vulnerability. 6. Conduct a thorough PCI-DSS compliance review and notify relevant stakeholders and regulators if a breach is suspected. 7. Monitor web server logs for suspicious access patterns to the mspaylink endpoint, especially repeated order_id enumeration attempts. 8. Educate developers and administrators on secure coding practices for handling payment data, emphasizing the prohibition of storing CVV and the need for server-side protections. 9. Consider deploying Web Application Firewalls (WAF) with custom rules to block unauthorized access to sensitive endpoints until a patch is applied. 10. Engage with payment processors to review and update security controls and incident response plans.